Analysis
-
max time kernel
151s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-04-2024 12:09
Static task
static1
Behavioral task
behavioral1
Sample
d35381609a7837b54625620b260ceba0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d35381609a7837b54625620b260ceba0_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
d35381609a7837b54625620b260ceba0_JaffaCakes118.exe
-
Size
580KB
-
MD5
d35381609a7837b54625620b260ceba0
-
SHA1
e2a849cd29fe4584fe183ec4a3d231b96c11510f
-
SHA256
e451310ccd2dc212d3c4233ef75c6bd4a6b238e6ef44119ae4769cac2a2e5f54
-
SHA512
a12e110cba61403f88f16ce101297d221f29050c5b7111245c73ed6dbd797493d3f96ed18a175106a1f49d57bd628b2e69695c637e624319a848dc513fd3092e
-
SSDEEP
12288:Q4gzhRXZrOMlRYpl3U077HwPoTxqLWPiXjJ/whUFT:ehRXZr1ypl3p77QwTUki9/who
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
d35381609a7837b54625620b260ceba0_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\steamerrorreporter.qtsfdaax.lnk d35381609a7837b54625620b260ceba0_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
steamerrorreporter.exesteamerrorreporter.exepid process 2780 steamerrorreporter.exe 2396 steamerrorreporter.exe -
Loads dropped DLL 15 IoCs
Processes:
d35381609a7837b54625620b260ceba0_JaffaCakes118.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exepid process 2444 d35381609a7837b54625620b260ceba0_JaffaCakes118.exe 2444 d35381609a7837b54625620b260ceba0_JaffaCakes118.exe 2196 RegAsm.exe 472 RegAsm.exe 268 RegAsm.exe 1616 RegAsm.exe 1600 RegAsm.exe 2068 RegAsm.exe 1404 RegAsm.exe 396 RegAsm.exe 2244 RegAsm.exe 984 RegAsm.exe 1072 RegAsm.exe 2228 RegAsm.exe 1628 RegAsm.exe -
Obfuscated with Agile.Net obfuscator 6 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2196-21-0x0000000000400000-0x000000000046E000-memory.dmp agile_net behavioral1/memory/2196-23-0x0000000000400000-0x000000000046E000-memory.dmp agile_net behavioral1/memory/2196-25-0x0000000000400000-0x000000000046E000-memory.dmp agile_net behavioral1/memory/2244-116-0x00000000000A0000-0x000000000010E000-memory.dmp agile_net behavioral1/memory/2244-120-0x00000000000A0000-0x000000000010E000-memory.dmp agile_net behavioral1/memory/2244-123-0x00000000000A0000-0x000000000010E000-memory.dmp agile_net -
Suspicious use of SetThreadContext 13 IoCs
Processes:
steamerrorreporter.exedescription pid process target process PID 2780 set thread context of 2196 2780 steamerrorreporter.exe RegAsm.exe PID 2780 set thread context of 268 2780 steamerrorreporter.exe RegAsm.exe PID 2780 set thread context of 472 2780 steamerrorreporter.exe RegAsm.exe PID 2780 set thread context of 1616 2780 steamerrorreporter.exe RegAsm.exe PID 2780 set thread context of 1600 2780 steamerrorreporter.exe RegAsm.exe PID 2780 set thread context of 2068 2780 steamerrorreporter.exe RegAsm.exe PID 2780 set thread context of 1404 2780 steamerrorreporter.exe RegAsm.exe PID 2780 set thread context of 396 2780 steamerrorreporter.exe RegAsm.exe PID 2780 set thread context of 2244 2780 steamerrorreporter.exe RegAsm.exe PID 2780 set thread context of 984 2780 steamerrorreporter.exe RegAsm.exe PID 2780 set thread context of 1072 2780 steamerrorreporter.exe RegAsm.exe PID 2780 set thread context of 2228 2780 steamerrorreporter.exe RegAsm.exe PID 2780 set thread context of 1628 2780 steamerrorreporter.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
steamerrorreporter.exepid process 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe 2780 steamerrorreporter.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
d35381609a7837b54625620b260ceba0_JaffaCakes118.exesteamerrorreporter.exesteamerrorreporter.exedescription pid process Token: SeDebugPrivilege 2444 d35381609a7837b54625620b260ceba0_JaffaCakes118.exe Token: SeDebugPrivilege 2780 steamerrorreporter.exe Token: SeDebugPrivilege 2396 steamerrorreporter.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
d35381609a7837b54625620b260ceba0_JaffaCakes118.exepid process 2444 d35381609a7837b54625620b260ceba0_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
d35381609a7837b54625620b260ceba0_JaffaCakes118.exepid process 2444 d35381609a7837b54625620b260ceba0_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d35381609a7837b54625620b260ceba0_JaffaCakes118.exesteamerrorreporter.exedescription pid process target process PID 2444 wrote to memory of 2780 2444 d35381609a7837b54625620b260ceba0_JaffaCakes118.exe steamerrorreporter.exe PID 2444 wrote to memory of 2780 2444 d35381609a7837b54625620b260ceba0_JaffaCakes118.exe steamerrorreporter.exe PID 2444 wrote to memory of 2780 2444 d35381609a7837b54625620b260ceba0_JaffaCakes118.exe steamerrorreporter.exe PID 2444 wrote to memory of 2780 2444 d35381609a7837b54625620b260ceba0_JaffaCakes118.exe steamerrorreporter.exe PID 2780 wrote to memory of 2396 2780 steamerrorreporter.exe steamerrorreporter.exe PID 2780 wrote to memory of 2396 2780 steamerrorreporter.exe steamerrorreporter.exe PID 2780 wrote to memory of 2396 2780 steamerrorreporter.exe steamerrorreporter.exe PID 2780 wrote to memory of 2396 2780 steamerrorreporter.exe steamerrorreporter.exe PID 2780 wrote to memory of 2196 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 2196 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 2196 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 2196 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 2196 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 2196 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 2196 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 2196 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 2196 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 2196 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 2196 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 2196 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 268 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 268 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 268 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 268 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 268 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 268 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 268 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 472 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 472 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 472 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 472 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 472 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 472 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 472 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 472 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 268 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 472 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 268 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 472 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 268 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 472 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 268 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 268 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 472 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1616 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1616 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1616 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1616 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1616 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1616 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1616 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1600 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1600 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1600 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1600 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1600 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1600 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1600 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1600 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1616 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1600 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1616 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1600 2780 steamerrorreporter.exe RegAsm.exe PID 2780 wrote to memory of 1616 2780 steamerrorreporter.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:2196
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:268
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:472
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:1616
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:1600
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:2068
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:1404
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:2244
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:396
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:984
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:1072
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:1628
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Loads dropped DLL
PID:2228
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:2576
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵PID:3000
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a
-
Filesize
580KB
MD5d35381609a7837b54625620b260ceba0
SHA1e2a849cd29fe4584fe183ec4a3d231b96c11510f
SHA256e451310ccd2dc212d3c4233ef75c6bd4a6b238e6ef44119ae4769cac2a2e5f54
SHA512a12e110cba61403f88f16ce101297d221f29050c5b7111245c73ed6dbd797493d3f96ed18a175106a1f49d57bd628b2e69695c637e624319a848dc513fd3092e