986fea5b8de1e017b0cc984e3cc2af5a4be7d3222820fb63f425a6250eb8308a

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 08:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cf059f871ac25a8961b2dc203b5ce7fc_JaffaCakes118.exe
Size

24KB
MD5

cf059f871ac25a8961b2dc203b5ce7fc
SHA1

0929957bf3b01042da379324dba97ffba31e1907
SHA256

986fea5b8de1e017b0cc984e3cc2af5a4be7d3222820fb63f425a6250eb8308a
SHA512

ded0d89d3f96be55d2eb976da600c6eae43366167fb9ec9e43ae773f35b5290aff6e57bfec0186887ab893643eb92feb4bf23ebfe6253c9088282fa4ff71f84e
SSDEEP

384:E3eVES+/xwGkRKJ6alM61qmTTMVF9/q510:bGS+ZfbJ6aO8qYoAa

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe"	cf059f871ac25a8961b2dc203b5ce7fc_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe	cf059f871ac25a8961b2dc203b5ce7fc_JaffaCakes118.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1136	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2232	ipconfig.exe
2868	NETSTAT.EXE

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	tasklist.exe
Token: SeDebugPrivilege	2868	NETSTAT.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1900	cf059f871ac25a8961b2dc203b5ce7fc_JaffaCakes118.exe
1900	cf059f871ac25a8961b2dc203b5ce7fc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2064	1900	cf059f871ac25a8961b2dc203b5ce7fc_JaffaCakes118.exe	28
PID 1900 wrote to memory of 2064	1900	cf059f871ac25a8961b2dc203b5ce7fc_JaffaCakes118.exe	28
PID 1900 wrote to memory of 2064	1900	cf059f871ac25a8961b2dc203b5ce7fc_JaffaCakes118.exe	28
PID 1900 wrote to memory of 2064	1900	cf059f871ac25a8961b2dc203b5ce7fc_JaffaCakes118.exe	28
PID 2064 wrote to memory of 2376	2064	cmd.exe	30
PID 2064 wrote to memory of 2376	2064	cmd.exe	30
PID 2064 wrote to memory of 2376	2064	cmd.exe	30
PID 2064 wrote to memory of 2376	2064	cmd.exe	30
PID 2064 wrote to memory of 2232	2064	cmd.exe	31
PID 2064 wrote to memory of 2232	2064	cmd.exe	31
PID 2064 wrote to memory of 2232	2064	cmd.exe	31
PID 2064 wrote to memory of 2232	2064	cmd.exe	31
PID 2064 wrote to memory of 1136	2064	cmd.exe	32
PID 2064 wrote to memory of 1136	2064	cmd.exe	32
PID 2064 wrote to memory of 1136	2064	cmd.exe	32
PID 2064 wrote to memory of 1136	2064	cmd.exe	32
PID 2064 wrote to memory of 2632	2064	cmd.exe	34
PID 2064 wrote to memory of 2632	2064	cmd.exe	34
PID 2064 wrote to memory of 2632	2064	cmd.exe	34
PID 2064 wrote to memory of 2632	2064	cmd.exe	34
PID 2632 wrote to memory of 2580	2632	net.exe	35
PID 2632 wrote to memory of 2580	2632	net.exe	35
PID 2632 wrote to memory of 2580	2632	net.exe	35
PID 2632 wrote to memory of 2580	2632	net.exe	35
PID 2064 wrote to memory of 2868	2064	cmd.exe	36
PID 2064 wrote to memory of 2868	2064	cmd.exe	36
PID 2064 wrote to memory of 2868	2064	cmd.exe	36
PID 2064 wrote to memory of 2868	2064	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\cf059f871ac25a8961b2dc203b5ce7fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf059f871ac25a8961b2dc203b5ce7fc_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c set
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2232
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\SysWOW64\net.exe
    net start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start
      4⤵
      PID:2580
- - C:\Windows\SysWOW64\NETSTAT.EXE
    netstat -an
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\flash.log

Filesize
8KB

MD5
2949ee425d6240719a53312630b01c69

SHA1
fd8081a8ca0a6126936c6c4c2a7d41abb331cd99

SHA256
efad31c1e785d0fdfa4366e7be1876bcf9473c45c73e45bd68c32ba7d6678aad

SHA512
95068fd3bbc812a44964c3bdb1e6451987148d0629f1390f8e734ac13e84049985960f7a060e35b172c930d4df370dd18b23242dc235ba6e127e897423aff163

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads