Analysis
-
max time kernel
4s -
max time network
3s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 01:50
Static task
static1
Behavioral task
behavioral1
Sample
f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
f269ccb519476724082fd3d4383d5ca6
-
SHA1
fd9005d5401c9d2df2d792eec8d47ba5cee2b9c6
-
SHA256
e56800ef1346a3a28f31c466eb1d31655a127c7cb81647bb7697558e7a879ed2
-
SHA512
77e5f1499acfea03e9cef52d85c1189b7ea0283b005c8584bc559d5ab694c3d3870906c52c012a5ad64930819b05f618852cd289eaa4a73b157c171d799a69ac
-
SSDEEP
12288:3R3osGLyv32XrpXEJETL3ZaHa1fwd3DqjPtet4nQTl0RgiynJd4m8SdZuZCpnp+Z:B3pvHEdchJFZkyYsBkcUZL
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
hostcv.exewinini.exepid process 3068 hostcv.exe 2680 winini.exe -
Loads dropped DLL 3 IoCs
Processes:
f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exehostcv.exepid process 2224 f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe 2224 f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe 3068 hostcv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
hostcv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Live = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hostcv.exe" hostcv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hostcv.exedescription pid process target process PID 3068 set thread context of 2680 3068 hostcv.exe winini.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
hostcv.exepid process 3068 hostcv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
hostcv.exedescription pid process Token: SeDebugPrivilege 3068 hostcv.exe Token: SeDebugPrivilege 3068 hostcv.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exehostcv.exedescription pid process target process PID 2224 wrote to memory of 3068 2224 f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe hostcv.exe PID 2224 wrote to memory of 3068 2224 f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe hostcv.exe PID 2224 wrote to memory of 3068 2224 f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe hostcv.exe PID 2224 wrote to memory of 3068 2224 f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe hostcv.exe PID 3068 wrote to memory of 2680 3068 hostcv.exe winini.exe PID 3068 wrote to memory of 2680 3068 hostcv.exe winini.exe PID 3068 wrote to memory of 2680 3068 hostcv.exe winini.exe PID 3068 wrote to memory of 2680 3068 hostcv.exe winini.exe PID 3068 wrote to memory of 2680 3068 hostcv.exe winini.exe PID 3068 wrote to memory of 2680 3068 hostcv.exe winini.exe PID 3068 wrote to memory of 2680 3068 hostcv.exe winini.exe PID 3068 wrote to memory of 2680 3068 hostcv.exe winini.exe PID 3068 wrote to memory of 2680 3068 hostcv.exe winini.exe PID 3068 wrote to memory of 2680 3068 hostcv.exe winini.exe PID 3068 wrote to memory of 2680 3068 hostcv.exe winini.exe PID 3068 wrote to memory of 2680 3068 hostcv.exe winini.exe PID 3068 wrote to memory of 2680 3068 hostcv.exe winini.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f269ccb519476724082fd3d4383d5ca6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\hostcv.exe"C:\Users\Admin\AppData\Local\Temp\hostcv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\winini.exeC:\Users\Admin\AppData\Local\Temp\winini.exe3⤵
- Executes dropped EXE
PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
696KB
MD5771c6ba0050a51ca574d2e316468720b
SHA16fc9f25f8f6fd2295e394fbbac529c5ed6a80459
SHA2565bcce062586bf4f2be50b18110cb25f413f2f2049f505f1aed7f588951826900
SHA512bbcbf93ae4ef4a08798c4f68b58267885a3db147d442ee5df449aa723d83d4e6004b901c28d55a463c74c072390b13434fccd198049cd93fc05af097f853fb64
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2