Analysis
-
max time kernel
146s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 21:39
Static task
static1
Behavioral task
behavioral1
Sample
f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe
-
Size
242KB
-
MD5
f461e0baafcd9a9bc218ac8bfdd5e31a
-
SHA1
65db47f933a688f831c6e785c1c600df3a85a79b
-
SHA256
f23cdf7d982b3e0953701893f4104a186da68d8d56c4e8f99f798eff27b7fbae
-
SHA512
83c80e5617880a17d88c31646257c1086801d6274a6e3bafe08bda39ea7bebc90fa384dca99d405005c65ed1be284304632bdaffdc6014be98b4ed68342776d7
-
SSDEEP
6144:U209KyD6sAdiy2sTgond+7lQHsgNvxRtDcKPH7Pj5lDs:Un9KszAusTT6msg1RDc2BlDs
Malware Config
Extracted
asyncrat
0.5.7B
Default
shortcut2021.duckdns.org:6002
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
systeam32.exe
-
install_folder
%AppData%
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Odvhfcwmlbrkgm.exe Odvhfcwmlbrkgm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Odvhfcwmlbrkgm.exe Odvhfcwmlbrkgm.exe -
Executes dropped EXE 3 IoCs
pid Process 2444 Nzllbibva.exe 2556 Odvhfcwmlbrkgm.exe 2504 Odvhfcwmlbrkgm.exe -
Loads dropped DLL 3 IoCs
pid Process 1972 f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe 1972 f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe 2556 Odvhfcwmlbrkgm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2556 set thread context of 2504 2556 Odvhfcwmlbrkgm.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe 2556 Odvhfcwmlbrkgm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2556 Odvhfcwmlbrkgm.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1972 wrote to memory of 2444 1972 f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe 28 PID 1972 wrote to memory of 2444 1972 f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe 28 PID 1972 wrote to memory of 2444 1972 f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe 28 PID 1972 wrote to memory of 2444 1972 f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe 28 PID 1972 wrote to memory of 2556 1972 f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe 30 PID 1972 wrote to memory of 2556 1972 f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe 30 PID 1972 wrote to memory of 2556 1972 f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe 30 PID 1972 wrote to memory of 2556 1972 f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe 30 PID 2556 wrote to memory of 2504 2556 Odvhfcwmlbrkgm.exe 31 PID 2556 wrote to memory of 2504 2556 Odvhfcwmlbrkgm.exe 31 PID 2556 wrote to memory of 2504 2556 Odvhfcwmlbrkgm.exe 31 PID 2556 wrote to memory of 2504 2556 Odvhfcwmlbrkgm.exe 31 PID 2556 wrote to memory of 2504 2556 Odvhfcwmlbrkgm.exe 31 PID 2556 wrote to memory of 2504 2556 Odvhfcwmlbrkgm.exe 31 PID 2556 wrote to memory of 2504 2556 Odvhfcwmlbrkgm.exe 31 PID 2556 wrote to memory of 2504 2556 Odvhfcwmlbrkgm.exe 31 PID 2556 wrote to memory of 2504 2556 Odvhfcwmlbrkgm.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f461e0baafcd9a9bc218ac8bfdd5e31a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\Nzllbibva.exe"C:\Users\Admin\AppData\Local\Temp\Nzllbibva.exe"2⤵
- Executes dropped EXE
PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\Odvhfcwmlbrkgm.exe"C:\Users\Admin\AppData\Local\Temp\Odvhfcwmlbrkgm.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\Odvhfcwmlbrkgm.exe"C:\Users\Admin\AppData\Local\Temp\Odvhfcwmlbrkgm.exe"3⤵
- Executes dropped EXE
PID:2504
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
161KB
MD5fb3ae19f3c99124fb0ed13205ba967c2
SHA14fc3d1efd07d29d657b2a8fb7bec3d05cd430627
SHA2560a92b929cc8041cd868683116f3e7741cd22755a5ad57af56aa9bd6c54968c43
SHA512faef6c2fd3a71a308df24174e189f40b5e0909f3c99886d449f1b738dd91cedc2dbbaa4146f56448eb392f67925792c028dd92778ca3a440ed751378e5631b75
-
Filesize
195KB
MD5269d7728dbb38468ba697dedc335d4e6
SHA13e6980bb5a3b0bf247800e6100dcbd7a97db2d4b
SHA256b452105ebb3c208a7955ac226a26c5d9322921c26f055c9ef10a0b4c5a4ae7b5
SHA5120ae87dceeb02bf0b9d27a304b44add4fecc2382a9c444013d8e5add04b4760fe121839aea10f9eada8497e01ac85b0c2db2673897c0273cfe8d4c0a3915df3b6