Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 01:23
Static task
static1
Behavioral task
behavioral1
Sample
e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe
-
Size
207KB
-
MD5
e64fb5c1892506ac48ce934e71db4c1d
-
SHA1
52abff48819595df2c0e6dc51306dba2d872ccd4
-
SHA256
5a424ae330686d55dc756d3f588cb1ab91e0905f299f80171e419a9e1b148334
-
SHA512
084223e29e7c774a787a19087a3df9cecb21757fb53c9d75273dcab95aa897ac6c8f24f9d35227592260fa9986b009adf890a9edd39305e69710123f3ba345ea
-
SSDEEP
3072:w+haN9DBd2Uaai11OBxGl9xBjpj0Rz2mw2E7dskp8biwBRk5BmdBKemZEAmrc++:fha/D+Yi7O2BpARutp8bim0mdAp4T+
Malware Config
Signatures
-
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
fqe.exepid Process 2708 fqe.exe -
Executes dropped EXE 2 IoCs
Processes:
fqe.exefqe.exepid Process 2628 fqe.exe 2708 fqe.exe -
Loads dropped DLL 2 IoCs
Processes:
e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exepid Process 2904 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 2904 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 17 IoCs
Processes:
fqe.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\open\command fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\runas fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\Content Type = "application/x-msdownload" fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\runas\command fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\start fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\start\command fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\DefaultIcon fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\DefaultIcon\ = "%1" fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\open fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\ = "Application" fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\fqe.exe\" -a \"%1\" %*" fqe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fqe.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe" fqe.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exefqe.exedescription pid Process procid_target PID 2872 set thread context of 2904 2872 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 29 PID 2628 set thread context of 2708 2628 fqe.exe 31 -
Modifies registry class 41 IoCs
Processes:
fqe.exeexplorer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\DefaultIcon\ = "%1" fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\fqe.exe\" -a \"%1\" %*" fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\Content Type = "application/x-msdownload" fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\fqe.exe\" -a \"%1\" %*" fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\start\command fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\DefaultIcon\ = "%1" fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\ = "exefile" fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\DefaultIcon fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\start fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\ = "Application" fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\Content Type = "application/x-msdownload" fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\runas\command fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\runas\command fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\DefaultIcon fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\open fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\start fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\open\command fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.exe\shell\start\command fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\open\command fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\runas fqe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" fqe.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exefqe.exepid Process 2904 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 2904 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 2904 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 2904 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 2904 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 2904 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 2904 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 2904 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 2904 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 2708 fqe.exe 2708 fqe.exe 2708 fqe.exe 2708 fqe.exe 2708 fqe.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid Process 2572 explorer.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exedescription pid Process Token: SeShutdownPrivilege 2572 explorer.exe Token: SeShutdownPrivilege 2572 explorer.exe Token: SeShutdownPrivilege 2572 explorer.exe Token: SeShutdownPrivilege 2572 explorer.exe Token: SeShutdownPrivilege 2572 explorer.exe Token: SeShutdownPrivilege 2572 explorer.exe Token: SeShutdownPrivilege 2572 explorer.exe Token: SeShutdownPrivilege 2572 explorer.exe Token: SeShutdownPrivilege 2572 explorer.exe Token: SeShutdownPrivilege 2572 explorer.exe Token: SeShutdownPrivilege 2572 explorer.exe Token: SeShutdownPrivilege 2572 explorer.exe Token: SeShutdownPrivilege 2572 explorer.exe Token: SeShutdownPrivilege 2572 explorer.exe Token: SeShutdownPrivilege 2572 explorer.exe Token: SeShutdownPrivilege 2572 explorer.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
fqe.exeexplorer.exepid Process 2708 fqe.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2708 fqe.exe 2572 explorer.exe 2572 explorer.exe 2708 fqe.exe 2708 fqe.exe 2572 explorer.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
explorer.exefqe.exepid Process 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2572 explorer.exe 2708 fqe.exe 2708 fqe.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exee64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exefqe.exedescription pid Process procid_target PID 2872 wrote to memory of 2924 2872 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 28 PID 2872 wrote to memory of 2924 2872 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 28 PID 2872 wrote to memory of 2924 2872 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 28 PID 2872 wrote to memory of 2924 2872 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 28 PID 2872 wrote to memory of 2904 2872 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 29 PID 2872 wrote to memory of 2904 2872 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 29 PID 2872 wrote to memory of 2904 2872 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 29 PID 2872 wrote to memory of 2904 2872 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 29 PID 2872 wrote to memory of 2904 2872 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 29 PID 2872 wrote to memory of 2904 2872 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 29 PID 2872 wrote to memory of 2904 2872 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 29 PID 2872 wrote to memory of 2904 2872 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 29 PID 2904 wrote to memory of 2628 2904 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 30 PID 2904 wrote to memory of 2628 2904 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 30 PID 2904 wrote to memory of 2628 2904 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 30 PID 2904 wrote to memory of 2628 2904 e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe 30 PID 2628 wrote to memory of 2708 2628 fqe.exe 31 PID 2628 wrote to memory of 2708 2628 fqe.exe 31 PID 2628 wrote to memory of 2708 2628 fqe.exe 31 PID 2628 wrote to memory of 2708 2628 fqe.exe 31 PID 2628 wrote to memory of 2708 2628 fqe.exe 31 PID 2628 wrote to memory of 2708 2628 fqe.exe 31 PID 2628 wrote to memory of 2708 2628 fqe.exe 31 PID 2628 wrote to memory of 2708 2628 fqe.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2924
-
-
C:\Users\Admin\AppData\Local\Temp\e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\fqe.exe"C:\Users\Admin\AppData\Local\fqe.exe" -gav C:\Users\Admin\AppData\Local\Temp\e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\fqe.exe"C:\Users\Admin\AppData\Local\fqe.exe" -gav C:\Users\Admin\AppData\Local\Temp\e64fb5c1892506ac48ce934e71db4c1d_JaffaCakes118.exe4⤵
- Deletes itself
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2708
-
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2572
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD53912eb9a16a9b44caef3fbc909d89c07
SHA129bbac90992f6689d2d6f327449dd4a12c292c69
SHA256c1897ee57799be85407d3dc2ddd4a36559bb3556c74b00a38646e0e046fccaae
SHA512a0406ff4fe04f992e895bcd4dca3497c10294e4fc3f17604296036d21e60a7ac5871d81b140336ca78612485b2e07c56fe2429879e63262d0c0e943e549ec815