Analysis
-
max time kernel
126s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2024, 14:45
Static task
static1
Behavioral task
behavioral1
Sample
f14ec6f72419e2bf8ebc721bb2e79bf0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f14ec6f72419e2bf8ebc721bb2e79bf0_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f14ec6f72419e2bf8ebc721bb2e79bf0_JaffaCakes118.exe
-
Size
722KB
-
MD5
f14ec6f72419e2bf8ebc721bb2e79bf0
-
SHA1
80c534e25a7a48dfa666aad6648ca22a90d4ca00
-
SHA256
ad6e55414d2c5e811c1c7d5cd193820a5616e2b858992c9cbc246f8f7e1ee1a9
-
SHA512
104d1c68932e27ac5dab23bc8b83de4386f0b19793691b6fab64f11f48b191be39edec58bcb2d069075c05249159c8c7997549621cb0a1d6b3396c83dc4fa146
-
SSDEEP
12288:n9FL0w8RtsoatrRnyIEENLXZNDrGofoFDqF3Z4mxxNqqEeT3GH73a:n8w83sPDtEYLXjfoFWQmXwpeTora
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4436 4.exe 4592 QQ.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f14ec6f72419e2bf8ebc721bb2e79bf0_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\QQ.exe 4.exe File opened for modification C:\Windows\QQ.exe 4.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4436 4.exe Token: SeDebugPrivilege 4592 QQ.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4592 QQ.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3820 wrote to memory of 4436 3820 f14ec6f72419e2bf8ebc721bb2e79bf0_JaffaCakes118.exe 87 PID 3820 wrote to memory of 4436 3820 f14ec6f72419e2bf8ebc721bb2e79bf0_JaffaCakes118.exe 87 PID 3820 wrote to memory of 4436 3820 f14ec6f72419e2bf8ebc721bb2e79bf0_JaffaCakes118.exe 87 PID 4592 wrote to memory of 2368 4592 QQ.exe 92 PID 4592 wrote to memory of 2368 4592 QQ.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\f14ec6f72419e2bf8ebc721bb2e79bf0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f14ec6f72419e2bf8ebc721bb2e79bf0_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
-
C:\Windows\QQ.exeC:\Windows\QQ.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2368
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
788KB
MD57cc1965db778e7a4f52dbac37a25b5de
SHA1f5206b6ba4a0a0c85fa1b0c3a90245a4633d1cef
SHA25694d4366eaeb86b0a83d2639049334181ad97694df71cb8fa470189536b3ca163
SHA512fd0ea2a63d310955c766f4bb941fa2d091b3e03212d5f73a1a0b82734e2a7491472b378e8b05e1cf20574c649abc41823c9be43a64bd74682f61b7a887b8015d