Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-04-2024 18:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe
-
Size
796KB
-
MD5
f1ab64464f0534e75123ab6e5f42dd6c
-
SHA1
d9f427e676c7d17a2d2fdafd72ff383361014c83
-
SHA256
6dd06780f4dacd0f0fc9f044d6200e989e9435ef8977cc3a1396aebad13b1caf
-
SHA512
89ea99a14dad6a9e94dd191b32e5483472fbcaa3678fdc5a3ed3b0f3a177f2c6da20713705b9a9b517bea55364a8a3bc9c9181ccbfad6d3d87b2fa29bcc321e8
-
SSDEEP
12288:PKJRoPSM52au1bbL35noWJYjmAPjTrbksHMntHGrxV5YzJbotc6vq20QPXn:GKSc2autL3WOYNLStHGr+9ktc6vqm/
Malware Config
Signatures
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.execvtres.exedescription pid Process procid_target PID 1136 set thread context of 2884 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 28 PID 2884 set thread context of 2648 2884 cvtres.exe 29 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exepid Process 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.execvtres.exedescription pid Process Token: SeDebugPrivilege 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2884 cvtres.exe Token: SeSecurityPrivilege 2884 cvtres.exe Token: SeTakeOwnershipPrivilege 2884 cvtres.exe Token: SeLoadDriverPrivilege 2884 cvtres.exe Token: SeSystemProfilePrivilege 2884 cvtres.exe Token: SeSystemtimePrivilege 2884 cvtres.exe Token: SeProfSingleProcessPrivilege 2884 cvtres.exe Token: SeIncBasePriorityPrivilege 2884 cvtres.exe Token: SeCreatePagefilePrivilege 2884 cvtres.exe Token: SeBackupPrivilege 2884 cvtres.exe Token: SeRestorePrivilege 2884 cvtres.exe Token: SeShutdownPrivilege 2884 cvtres.exe Token: SeDebugPrivilege 2884 cvtres.exe Token: SeSystemEnvironmentPrivilege 2884 cvtres.exe Token: SeChangeNotifyPrivilege 2884 cvtres.exe Token: SeRemoteShutdownPrivilege 2884 cvtres.exe Token: SeUndockPrivilege 2884 cvtres.exe Token: SeManageVolumePrivilege 2884 cvtres.exe Token: SeImpersonatePrivilege 2884 cvtres.exe Token: SeCreateGlobalPrivilege 2884 cvtres.exe Token: 33 2884 cvtres.exe Token: 34 2884 cvtres.exe Token: 35 2884 cvtres.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.execvtres.exedescription pid Process procid_target PID 1136 wrote to memory of 2884 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 28 PID 1136 wrote to memory of 2884 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 28 PID 1136 wrote to memory of 2884 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 28 PID 1136 wrote to memory of 2884 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 28 PID 1136 wrote to memory of 2884 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 28 PID 1136 wrote to memory of 2884 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 28 PID 1136 wrote to memory of 2884 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 28 PID 1136 wrote to memory of 2884 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 28 PID 1136 wrote to memory of 2884 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 28 PID 1136 wrote to memory of 2884 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 28 PID 1136 wrote to memory of 2884 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 28 PID 1136 wrote to memory of 2884 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 28 PID 1136 wrote to memory of 2884 1136 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 28 PID 2884 wrote to memory of 2648 2884 cvtres.exe 29 PID 2884 wrote to memory of 2648 2884 cvtres.exe 29 PID 2884 wrote to memory of 2648 2884 cvtres.exe 29 PID 2884 wrote to memory of 2648 2884 cvtres.exe 29 PID 2884 wrote to memory of 2648 2884 cvtres.exe 29 PID 2884 wrote to memory of 2648 2884 cvtres.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:2648
-
-