Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 16:45
Static task
static1
Behavioral task
behavioral1
Sample
e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe
-
Size
282KB
-
MD5
e5638483b1e667b623101e4a4815d229
-
SHA1
62f596d729a3eb08554787c77f80d387d49f117e
-
SHA256
67fd9c21a9f3ddcd5bfe3a2368e5cc0f60622fd484d79b234e83493aef665196
-
SHA512
e7fc2f61b9a8d760f08f5677f4f72947f1c1c7b4e0c2405d70167dabbf29c8290ad22a4b95c66765b87f85885ca533bf73dd60d3ca995438936db87ca8f7285e
-
SSDEEP
6144:crPrgEYF57R69Um+nEY0kqk4PXzCPamiHtRNCI6X:2gXF9R6ym+skK07mKX
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
e5638483b1e667b623101e4a4815d229_JaffaCakes118.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe -
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
96D3.tmppid Process 2724 96D3.tmp -
Loads dropped DLL 2 IoCs
Processes:
e5638483b1e667b623101e4a4815d229_JaffaCakes118.exepid Process 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2712-1-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2712-11-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1836-13-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2712-82-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2156-85-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2156-84-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2712-176-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2712-195-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2156-197-0x0000000001FE0000-0x00000000020E0000-memory.dmp upx behavioral1/memory/2712-198-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e5638483b1e667b623101e4a4815d229_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9A6.exe = "C:\\Program Files (x86)\\LP\\8620\\9A6.exe" e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
Processes:
e5638483b1e667b623101e4a4815d229_JaffaCakes118.exedescription ioc Process File created C:\Program Files (x86)\LP\8620\9A6.exe e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\8620\96D3.tmp e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\8620\9A6.exe e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
e5638483b1e667b623101e4a4815d229_JaffaCakes118.exepid Process 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid Process 1480 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
msiexec.exeexplorer.exedescription pid Process Token: SeRestorePrivilege 2572 msiexec.exe Token: SeTakeOwnershipPrivilege 2572 msiexec.exe Token: SeSecurityPrivilege 2572 msiexec.exe Token: SeShutdownPrivilege 1480 explorer.exe Token: SeShutdownPrivilege 1480 explorer.exe Token: SeShutdownPrivilege 1480 explorer.exe Token: SeShutdownPrivilege 1480 explorer.exe Token: SeShutdownPrivilege 1480 explorer.exe Token: SeShutdownPrivilege 1480 explorer.exe Token: SeShutdownPrivilege 1480 explorer.exe Token: SeShutdownPrivilege 1480 explorer.exe Token: SeShutdownPrivilege 1480 explorer.exe Token: SeShutdownPrivilege 1480 explorer.exe Token: SeShutdownPrivilege 1480 explorer.exe Token: SeShutdownPrivilege 1480 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid Process 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
explorer.exepid Process 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe 1480 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e5638483b1e667b623101e4a4815d229_JaffaCakes118.exedescription pid Process procid_target PID 2712 wrote to memory of 1836 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 30 PID 2712 wrote to memory of 1836 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 30 PID 2712 wrote to memory of 1836 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 30 PID 2712 wrote to memory of 1836 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 30 PID 2712 wrote to memory of 2156 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 32 PID 2712 wrote to memory of 2156 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 32 PID 2712 wrote to memory of 2156 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 32 PID 2712 wrote to memory of 2156 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 32 PID 2712 wrote to memory of 2724 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 35 PID 2712 wrote to memory of 2724 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 35 PID 2712 wrote to memory of 2724 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 35 PID 2712 wrote to memory of 2724 2712 e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe 35 -
System policy modification 1 TTPs 2 IoCs
Processes:
e5638483b1e667b623101e4a4815d229_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\e5638483b1e667b623101e4a4815d229_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\04245\9EE86.exe%C:\Users\Admin\AppData\Roaming\042452⤵PID:1836
-
-
C:\Users\Admin\AppData\Local\Temp\e5638483b1e667b623101e4a4815d229_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e5638483b1e667b623101e4a4815d229_JaffaCakes118.exe startC:\Program Files (x86)\45453\lvvm.exe%C:\Program Files (x86)\454532⤵PID:2156
-
-
C:\Program Files (x86)\LP\8620\96D3.tmp"C:\Program Files (x86)\LP\8620\96D3.tmp"2⤵
- Executes dropped EXE
PID:2724
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1480
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD59d83b6d4629b9d0e96bbdb171b0dc5db
SHA1e9bed14c44fe554e0e8385096bbacca494da30b1
SHA256d3a6060ff059a7724a483d82025a9231a61143839b633a6d3842a58ccb5a7d7d
SHA512301187bdcab5ca9942b2c7b7114e37e53e58b5661eef50c389622950d7691993a29f5a825132cf499ca73cdb6637d3f58afdc024cb04fac2b8e01f752209572c
-
Filesize
600B
MD51ba5bead2c1e67dcfe4c680e079af11a
SHA104348e3c49b4b22465f403c54635b4ebf4554080
SHA256d4710de094124d8dfebc02a07aa685bc8b97d8a9fe11e22d5d849a6dc3c70aed
SHA5129f886a0cd0ae083c6d7237b528ed2efd8fb4404d529efa5da2df9eb9219a67a39404d6527918e20432618fb7953fda96d54064fc7194999e4e2e09e0347ab677
-
Filesize
996B
MD50c464f3503a9a3643e34bbf38a3020ec
SHA1ffe267b041f3e2e6fa7986837eda79f089be43fd
SHA256fc08602b95545d113fb43b1e9c80b19a861c4868e21fb6872dddc121981b4ee0
SHA512980e46ce4f12bcb82dd36f57ecf06333106f972571a442737970dcaf5adfe498a5524bef44b04b58e880fd23aaa60fc5ee48dd16cf8b1d90788e1885513830e3