Analysis
-
max time kernel
142s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 06:58
Static task
static1
Behavioral task
behavioral1
Sample
e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe
-
Size
282KB
-
MD5
e6e43e90b2bbf47cfc25407368464e81
-
SHA1
f15c6208127fe4966e2509dc811efa63eb71fcac
-
SHA256
bebe323a6423d5618996ad8db00f329a1d4fd0bbdb5a0c1c57f803d92ecac278
-
SHA512
e453de06f90fe6f1940b288e0656000419c9b663067ddf8a38306baa4d17fb077a5355b63cbc1ba82b309753215fcba9796ee7b54c9dcd70799f3e469e50df65
-
SSDEEP
6144:crPreEYF57R69Um+nEY0kqk4PXzCPamiHtRNCI6X:2eXF9R6ym+skK07mKX
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe -
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
9B65.tmppid process 2896 9B65.tmp -
Loads dropped DLL 2 IoCs
Processes:
e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exepid process 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2340-1-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2340-11-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1448-14-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1448-13-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2340-73-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/268-76-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2340-191-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/268-192-0x00000000002E0000-0x00000000003E0000-memory.dmp upx behavioral1/memory/2340-196-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7C8.exe = "C:\\Program Files (x86)\\LP\\0F04\\7C8.exe" e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
Processes:
e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\LP\0F04\7C8.exe e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\0F04\7C8.exe e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\0F04\9B65.tmp e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exepid process 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2712 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
msiexec.exeexplorer.exedescription pid process Token: SeRestorePrivilege 2580 msiexec.exe Token: SeTakeOwnershipPrivilege 2580 msiexec.exe Token: SeSecurityPrivilege 2580 msiexec.exe Token: SeShutdownPrivilege 2712 explorer.exe Token: SeShutdownPrivilege 2712 explorer.exe Token: SeShutdownPrivilege 2712 explorer.exe Token: SeShutdownPrivilege 2712 explorer.exe Token: SeShutdownPrivilege 2712 explorer.exe Token: SeShutdownPrivilege 2712 explorer.exe Token: SeShutdownPrivilege 2712 explorer.exe Token: SeShutdownPrivilege 2712 explorer.exe Token: SeShutdownPrivilege 2712 explorer.exe Token: SeShutdownPrivilege 2712 explorer.exe Token: SeShutdownPrivilege 2712 explorer.exe Token: SeShutdownPrivilege 2712 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
explorer.exepid process 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe 2712 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exedescription pid process target process PID 2340 wrote to memory of 1448 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe PID 2340 wrote to memory of 1448 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe PID 2340 wrote to memory of 1448 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe PID 2340 wrote to memory of 1448 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe PID 2340 wrote to memory of 268 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe PID 2340 wrote to memory of 268 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe PID 2340 wrote to memory of 268 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe PID 2340 wrote to memory of 268 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe PID 2340 wrote to memory of 2896 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 9B65.tmp PID 2340 wrote to memory of 2896 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 9B65.tmp PID 2340 wrote to memory of 2896 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 9B65.tmp PID 2340 wrote to memory of 2896 2340 e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe 9B65.tmp -
System policy modification 1 TTPs 2 IoCs
Processes:
e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\48C17\C490F.exe%C:\Users\Admin\AppData\Roaming\48C172⤵
-
C:\Users\Admin\AppData\Local\Temp\e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e6e43e90b2bbf47cfc25407368464e81_JaffaCakes118.exe startC:\Program Files (x86)\17ACE\lvvm.exe%C:\Program Files (x86)\17ACE2⤵
-
C:\Program Files (x86)\LP\0F04\9B65.tmp"C:\Program Files (x86)\LP\0F04\9B65.tmp"2⤵
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\48C17\7ACE.8C1Filesize
1KB
MD54d7d882ce162fafc78663991bcb99045
SHA1f263d8545bc3cccdd6e7475ffef73166fc87e6ca
SHA256cd2c3862b09903f04b2a47b1158bd18800f24186f6731c37e9832031bb072a32
SHA51269d77ca4baa1c0a9b3041bebf417a9f30c6a38ea3e167af275e507ceed83a3d63f2893b85e3403f8aa73499a2e3afb2e5c0bcad3d4a948978cd072dcbb6fc791
-
C:\Users\Admin\AppData\Roaming\48C17\7ACE.8C1Filesize
600B
MD50be1d4d0f6e9832cde9d2a07759e49e0
SHA1afb6aec18f51198886f27ce0e3a39fb8f88eedd6
SHA2562e51bb3531d3626e6380d396bada61e670dc6ca91eb932b0eb13982190b1aca3
SHA5126465daf8267c207a907e439d4a6a51bedbc2436f3c448a355f28e5bf303ea911c9955b587d3031a2cdc28bd528652c97cc48e33e512a736f6a9508fecf388be4
-
C:\Users\Admin\AppData\Roaming\48C17\7ACE.8C1Filesize
996B
MD5522123b6fed70ac37d6ddfd6594827e3
SHA1c88da33def4ef08a07c9091ff82dfa09147dd1e7
SHA2563dd10d108ce015ed65aba769535ca700d764134386ccdedd3abfb00bf68ca631
SHA5122b8ced036884e192fc65e27b3548022215abf7dec3850750b458c7eaea3ca030aac4d2a0899602ba7d69db4aaee32e78c451b97d97fadd5d6410396676a043cc
-
\Program Files (x86)\LP\0F04\9B65.tmpFilesize
99KB
MD59d83b6d4629b9d0e96bbdb171b0dc5db
SHA1e9bed14c44fe554e0e8385096bbacca494da30b1
SHA256d3a6060ff059a7724a483d82025a9231a61143839b633a6d3842a58ccb5a7d7d
SHA512301187bdcab5ca9942b2c7b7114e37e53e58b5661eef50c389622950d7691993a29f5a825132cf499ca73cdb6637d3f58afdc024cb04fac2b8e01f752209572c
-
memory/268-192-0x00000000002E0000-0x00000000003E0000-memory.dmpFilesize
1024KB
-
memory/268-76-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/268-77-0x00000000002E0000-0x00000000003E0000-memory.dmpFilesize
1024KB
-
memory/1448-15-0x00000000020F0000-0x0000000002137000-memory.dmpFilesize
284KB
-
memory/1448-14-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1448-13-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2340-78-0x0000000001FE0000-0x00000000020E0000-memory.dmpFilesize
1024KB
-
memory/2340-1-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2340-73-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2340-11-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2340-191-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2340-2-0x0000000001FE0000-0x00000000020E0000-memory.dmpFilesize
1024KB
-
memory/2340-196-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2712-171-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/2712-194-0x0000000004580000-0x0000000004581000-memory.dmpFilesize
4KB
-
memory/2896-188-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2896-189-0x00000000005C0000-0x00000000006C0000-memory.dmpFilesize
1024KB
-
memory/2896-190-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB