Analysis
-
max time kernel
142s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
09-04-2024 03:17
Static task
static1
Behavioral task
behavioral1
Sample
e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe
-
Size
139KB
-
MD5
e9174d4648a95cb3b6c98c4cbad92022
-
SHA1
5bcd575a3b728a9eaec2eabf1d2f14f68ed47817
-
SHA256
d48dfc209aa357d99b80a59daadbf8b428dea5225d7f76d9137c966b95745404
-
SHA512
c0ddbdb8c2fd5038bc9f61e4b455c1d797ab94492bbf6e66c47c34eace6f572d06e0e213107300a78b9f48afd7a7cfbb739bf9ecdb39dd721b40b67eb20c7940
-
SSDEEP
3072:z7wiiFUMA+5tjEwd/eURl7vkN3nbDPyGDBIZYpvztNUpP://iFUM37QwdxvkRPX9IWpZg
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\help\B41346EFA848.dll e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe File opened for modification C:\Windows\help\B41346EFA848.dll e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\B41346EFA848.dll" e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment" e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765} e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL" e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeBackupPrivilege 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe Token: SeRestorePrivilege 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe Token: SeRestorePrivilege 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe Token: SeRestorePrivilege 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe Token: SeRestorePrivilege 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe Token: SeRestorePrivilege 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe Token: SeBackupPrivilege 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe Token: SeRestorePrivilege 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe Token: SeRestorePrivilege 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe Token: SeRestorePrivilege 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe Token: SeRestorePrivilege 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe Token: SeRestorePrivilege 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2364 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe 28 PID 1728 wrote to memory of 2364 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe 28 PID 1728 wrote to memory of 2364 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe 28 PID 1728 wrote to memory of 2364 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe 28 PID 1728 wrote to memory of 2956 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe 30 PID 1728 wrote to memory of 2956 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe 30 PID 1728 wrote to memory of 2956 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe 30 PID 1728 wrote to memory of 2956 1728 e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e9174d4648a95cb3b6c98c4cbad92022_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\cmd.execmd /c 2.bat2⤵PID:2364
-
-
C:\Windows\SysWOW64\cmd.execmd /c 2.bat2⤵PID:2956
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63B
MD57c6005c104c401e86208989a1c175ccd
SHA199692e97315bfc61703563e9cc60b0cab626ee42
SHA25676512044e6694fa33abe7fa5498b1df636579db7b7b10551886b440d1a1cdea8
SHA5124708e9d0a58d7704b69f5ddf428d3458423a837f60dd87293f553affba7fd673438dd54d8b58bfcf14409093233d0c51269c45d19afae678e971e9b14192df79
-
Filesize
62B
MD54363cc6ccf940f3948e6f3a7423d5d49
SHA141de46335e1d90823857d0af48249c5c0c4f8ba7
SHA25679a1012fef3eb44ce9190fde2c245bbfbbfddaeec9ec8196c3e432fd92495645
SHA5128f00ce815c4135c555a7404ea44a9fbb9702bf5ebab6b55ad8c3c679af0a806d8d53dd881717a6d260549ecfc5d959aa5b2e91829ff640bd45fa140c183b8084
-
Filesize
126KB
MD5398623634db652ae896f1e418bc3f4e0
SHA1e63999c0e0a0654eef1a172f20ae1888175fb7ff
SHA25652e7f8c4cd395e76477bcc78647aeb010f17fad83dcb2797fb5524c6850b649d
SHA51247f14fa8ce08f87c1ebe32863f1e0b5ac6d5cd2ad50d1912e57e6c50748255a837948899dfda33d15b22e726857ea22953bb09909d79d02dc3a4996091ccc58e