Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-04-2024 07:44
Static task
static1
Behavioral task
behavioral1
Sample
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
f099166904861ab4279bcb3363818e1b
-
SHA1
947bdc188faf9186d1a0da4c5344092796edeb7b
-
SHA256
b77cbf38ccd7eaffd507edd029defb701eb4f7627eb55d24b00981188af05a33
-
SHA512
8cd115cdfe8e286a79a7b81a948ff5475f9492b0d649c632fefa64576aa648cf24acb18659f575ad31927a7f6f83554aff90a24d74eb6881696875497c69bc3b
-
SSDEEP
12288:krcp5dIUYqiMzISoyzoSQMJe+Cixm4I5aex6sDQ6Z6pfwXOisfg+KpDZqLivKBSS:YGYKzmx+CJn5jDQ3pNtyDZ+E8b
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Injection.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Injection.exe -
Drops startup file 1 IoCs
Processes:
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CeUaJ.exe f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
Injection.exepid process 2572 Injection.exe -
Loads dropped DLL 2 IoCs
Processes:
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exepid process 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Roaming\\f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe" f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exedescription pid process target process PID 3000 set thread context of 2572 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Injection.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Injection.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Injection.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Injection.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Injection.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
Injection.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Injection.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exepid process 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exeInjection.exedescription pid process Token: SeDebugPrivilege 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2572 Injection.exe Token: SeSecurityPrivilege 2572 Injection.exe Token: SeTakeOwnershipPrivilege 2572 Injection.exe Token: SeLoadDriverPrivilege 2572 Injection.exe Token: SeSystemProfilePrivilege 2572 Injection.exe Token: SeSystemtimePrivilege 2572 Injection.exe Token: SeProfSingleProcessPrivilege 2572 Injection.exe Token: SeIncBasePriorityPrivilege 2572 Injection.exe Token: SeCreatePagefilePrivilege 2572 Injection.exe Token: SeBackupPrivilege 2572 Injection.exe Token: SeRestorePrivilege 2572 Injection.exe Token: SeShutdownPrivilege 2572 Injection.exe Token: SeDebugPrivilege 2572 Injection.exe Token: SeSystemEnvironmentPrivilege 2572 Injection.exe Token: SeChangeNotifyPrivilege 2572 Injection.exe Token: SeRemoteShutdownPrivilege 2572 Injection.exe Token: SeUndockPrivilege 2572 Injection.exe Token: SeManageVolumePrivilege 2572 Injection.exe Token: SeImpersonatePrivilege 2572 Injection.exe Token: SeCreateGlobalPrivilege 2572 Injection.exe Token: 33 2572 Injection.exe Token: 34 2572 Injection.exe Token: 35 2572 Injection.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
f099166904861ab4279bcb3363818e1b_JaffaCakes118.execsc.exedescription pid process target process PID 3000 wrote to memory of 2184 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe csc.exe PID 3000 wrote to memory of 2184 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe csc.exe PID 3000 wrote to memory of 2184 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe csc.exe PID 3000 wrote to memory of 2184 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe csc.exe PID 2184 wrote to memory of 2608 2184 csc.exe cvtres.exe PID 2184 wrote to memory of 2608 2184 csc.exe cvtres.exe PID 2184 wrote to memory of 2608 2184 csc.exe cvtres.exe PID 2184 wrote to memory of 2608 2184 csc.exe cvtres.exe PID 3000 wrote to memory of 2572 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 3000 wrote to memory of 2572 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 3000 wrote to memory of 2572 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 3000 wrote to memory of 2572 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 3000 wrote to memory of 2572 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 3000 wrote to memory of 2572 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 3000 wrote to memory of 2572 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 3000 wrote to memory of 2572 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 3000 wrote to memory of 2572 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 3000 wrote to memory of 2572 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 3000 wrote to memory of 2572 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 3000 wrote to memory of 2572 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 3000 wrote to memory of 2572 3000 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rpvtndcb.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2492.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2491.tmp"3⤵PID:2608
-
C:\Users\Admin\AppData\Roaming\Injection.exeC:\Users\Admin\AppData\Roaming\Injection.exe2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b08cc760a3ad3300a31aea21003467b2
SHA1e11e1e278c9c4df3d6fed7e153f70fde6d4ab287
SHA2564d3cfb36cfad405768837f11c9c7083cd7ac777bf7b63758d63a0320e81e939d
SHA512f241f03291049a61d2bbc9e32464fd7f0e59c5736d4fcb254de1aa1de286fc19c6ee8a50adab53303c7598c16e1d88ca505507aaf41e7dfbfa1d73b362cb4e8c
-
Filesize
5KB
MD50e37ad110648e6fea93defd082b01930
SHA13f04947c8827e19b7a9b4b4463e4569dcb5c5c6f
SHA256abd15708a674c0b10edab68a9fa106a4fea873e594bdd21cb31c2799eac514ec
SHA5121ce926845dcdeb8dfe6b6d5ca4cbcfe0b9ec57b4784111bbaff8da1082e2b385f3cb573d0732315f71af8801173bb0cc383a53e5c1abc66b0fa845fdddf8fda3
-
Filesize
652B
MD550faa68530824e8a94483d3aa6904a30
SHA17fb4d05a4be699e879d3f257690fb2697b3c0d4e
SHA256bc8f62b6fcd058d2ae93c125c3a67d3528dca3073dd3dfb456ec07298c3bc482
SHA512a3995c11fbab31c021e8c65a5c502622857eb33f3053945b9c8cb460923b1c19265304eec9e91bb6333d7d24f5640b35332b4c437b88943181307b396f8e0fcc
-
Filesize
4KB
MD56830431c6b49f72eaca4b2888a0ddaa9
SHA1502083f68f991bfcfd771a7ba5bd508c2834591c
SHA256ae57e8973a24563582d571743f0339d9347ffc82ed716d12a994694c2b673bf8
SHA512939fa8cb2ca518904dea91b9612c53d833b9cf11e393fb376c1b0d00734e52b33708a6302e04bf15cb6a8e745475163766dec5a29ac265c914d0c286a170b35a
-
Filesize
206B
MD5573dbcbfb712af18b3430e5d5f063ad8
SHA1a5c5dfe85383b1688f0d250660d7f39a1218e382
SHA2565f718e41637fae4c8e35f71004815aacaf583e1010966e02989b7800f33a93ec
SHA51247a6e40e6e98a9bab6db637c70c887f356b659bfd8e9304ffeaeee2658a96c7a31516f672a5ff37c1aaf74c46422a72aac0e8f3e1e9e9936880ca81ee7ffab66
-
Filesize
16KB
MD5ba093215cda2c953d09cb4be4b85931f
SHA1776090132599bca6a7d29362bba6a5893669e2a9
SHA2568111d242686858f3a2e9adf30cd37b5c264743bfd4ad4d090ea4ce4187ce7798
SHA512dc66ac0b2442339ec1bcbd2fa85a1e8e04d6485ea946a84a2516d96138f2c7f14bca703c71bb085669de0c4bc088e0e17927ca094273d06e01cfa0c5b1f35023