Analysis
-
max time kernel
147s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 07:44
Static task
static1
Behavioral task
behavioral1
Sample
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
f099166904861ab4279bcb3363818e1b
-
SHA1
947bdc188faf9186d1a0da4c5344092796edeb7b
-
SHA256
b77cbf38ccd7eaffd507edd029defb701eb4f7627eb55d24b00981188af05a33
-
SHA512
8cd115cdfe8e286a79a7b81a948ff5475f9492b0d649c632fefa64576aa648cf24acb18659f575ad31927a7f6f83554aff90a24d74eb6881696875497c69bc3b
-
SSDEEP
12288:krcp5dIUYqiMzISoyzoSQMJe+Cixm4I5aex6sDQ6Z6pfwXOisfg+KpDZqLivKBSS:YGYKzmx+CJn5jDQ3pNtyDZ+E8b
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Injection.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Injection.exe -
Drops startup file 1 IoCs
Processes:
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CeUaJ.exe f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
Injection.exepid process 1868 Injection.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Roaming\\f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe" f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exedescription pid process target process PID 1660 set thread context of 1868 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Injection.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Injection.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Injection.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Injection.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Injection.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
Injection.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Injection.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exepid process 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
f099166904861ab4279bcb3363818e1b_JaffaCakes118.exeInjection.exedescription pid process Token: SeDebugPrivilege 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1868 Injection.exe Token: SeSecurityPrivilege 1868 Injection.exe Token: SeTakeOwnershipPrivilege 1868 Injection.exe Token: SeLoadDriverPrivilege 1868 Injection.exe Token: SeSystemProfilePrivilege 1868 Injection.exe Token: SeSystemtimePrivilege 1868 Injection.exe Token: SeProfSingleProcessPrivilege 1868 Injection.exe Token: SeIncBasePriorityPrivilege 1868 Injection.exe Token: SeCreatePagefilePrivilege 1868 Injection.exe Token: SeBackupPrivilege 1868 Injection.exe Token: SeRestorePrivilege 1868 Injection.exe Token: SeShutdownPrivilege 1868 Injection.exe Token: SeDebugPrivilege 1868 Injection.exe Token: SeSystemEnvironmentPrivilege 1868 Injection.exe Token: SeChangeNotifyPrivilege 1868 Injection.exe Token: SeRemoteShutdownPrivilege 1868 Injection.exe Token: SeUndockPrivilege 1868 Injection.exe Token: SeManageVolumePrivilege 1868 Injection.exe Token: SeImpersonatePrivilege 1868 Injection.exe Token: SeCreateGlobalPrivilege 1868 Injection.exe Token: 33 1868 Injection.exe Token: 34 1868 Injection.exe Token: 35 1868 Injection.exe Token: 36 1868 Injection.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
f099166904861ab4279bcb3363818e1b_JaffaCakes118.execsc.exedescription pid process target process PID 1660 wrote to memory of 1148 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe csc.exe PID 1660 wrote to memory of 1148 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe csc.exe PID 1660 wrote to memory of 1148 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe csc.exe PID 1148 wrote to memory of 4948 1148 csc.exe cvtres.exe PID 1148 wrote to memory of 4948 1148 csc.exe cvtres.exe PID 1148 wrote to memory of 4948 1148 csc.exe cvtres.exe PID 1660 wrote to memory of 1868 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 1660 wrote to memory of 1868 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 1660 wrote to memory of 1868 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 1660 wrote to memory of 1868 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 1660 wrote to memory of 1868 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 1660 wrote to memory of 1868 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 1660 wrote to memory of 1868 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 1660 wrote to memory of 1868 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 1660 wrote to memory of 1868 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 1660 wrote to memory of 1868 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 1660 wrote to memory of 1868 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 1660 wrote to memory of 1868 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 1660 wrote to memory of 1868 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe PID 1660 wrote to memory of 1868 1660 f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe Injection.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f099166904861ab4279bcb3363818e1b_JaffaCakes118.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8d4mczn_.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F8D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2F8C.tmp"3⤵PID:4948
-
C:\Users\Admin\AppData\Roaming\Injection.exeC:\Users\Admin\AppData\Roaming\Injection.exe2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD54b2425bc7ee4ff3c2ef8f1848395e469
SHA1d0913ca7f9ae19c02bfd489daf7297f538d7c012
SHA25673bbb71c2896dfd1d9837719aa6bb8c76bc5ff4a757253192c0a298feec81d8f
SHA512dea5cf2fde0c1de58565f862e7fa7daeb8c1e79c1359b6ce3b59ffed1c9631e61bcfbd9869fe6b48de0c9e1bb85a7b49f035d1ad2d4d53bb85b9c3c2d494d14f
-
Filesize
1KB
MD51b04c7ba5293a64589f022b23cbec068
SHA1d972a0114f41c91d0f36e72cedef8735cb9e8e89
SHA256161a37e1fa17b9aec8fbb8ebc9ad47bcb3167fa2a65740f9fc5f66e2d3051b07
SHA512adb91ae08f2ec0c62ab673238c746641fcc0561a0abb229ef74d7d290a68a3015f4ab0d935c140f0dcb0fe93bf6fc6978bdfaae3d1f057a039d0c3dd19c2b8d7
-
Filesize
16KB
MD5ba093215cda2c953d09cb4be4b85931f
SHA1776090132599bca6a7d29362bba6a5893669e2a9
SHA2568111d242686858f3a2e9adf30cd37b5c264743bfd4ad4d090ea4ce4187ce7798
SHA512dc66ac0b2442339ec1bcbd2fa85a1e8e04d6485ea946a84a2516d96138f2c7f14bca703c71bb085669de0c4bc088e0e17927ca094273d06e01cfa0c5b1f35023
-
Filesize
4KB
MD56830431c6b49f72eaca4b2888a0ddaa9
SHA1502083f68f991bfcfd771a7ba5bd508c2834591c
SHA256ae57e8973a24563582d571743f0339d9347ffc82ed716d12a994694c2b673bf8
SHA512939fa8cb2ca518904dea91b9612c53d833b9cf11e393fb376c1b0d00734e52b33708a6302e04bf15cb6a8e745475163766dec5a29ac265c914d0c286a170b35a
-
Filesize
206B
MD52ceb3f966886e16e02460fe9dab4b068
SHA17221d1887344c20e954157464807a4fe50de1948
SHA256ea338e2fa51a2617da08d7f8d05ba8c7261b8c6348595321e6699dc54438ba3e
SHA512ac33e4ff1df94ecfd772bacd7a7817a3bd744bc3b2ba6418daa8ba5731e189faad1d1109d3c0f8b7e1005035c2942294bee80fbfa5dd434580632a3dac35085a
-
Filesize
652B
MD53a0e519d5f9198bb9c536342b3e24c1f
SHA1dc9a155928830a51dad88034a5b2fd094dfbf221
SHA256e919dc625776507758d0b7493b4e2d4eb3ec2157f5558896debc36b907f5bd02
SHA5120e614c116d2d7d5ff5ec52f3156c9bf1d53d8d551cd5b6ce728c7f7aa3fd9631168f5fdd000e9909d526ef2e93e73ca26bba1e7b414f3ba9a69a95c815fad66b