Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 01:02
Static task
static1
Behavioral task
behavioral1
Sample
f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe
-
Size
363KB
-
MD5
f4b6825221e1fa2c7e9f3d46917fa11d
-
SHA1
1c0d77931ec4f940c40f70ff0ad94d0562f996de
-
SHA256
a6e7a65ad515a67a06dcbe2591faaef1b4629632c17fadc999ac1c45a87caa18
-
SHA512
3faca8a337148c3f7cfc15eaad85e50bf36baf3ecaa715af04392aa555559be0826c9e9dc97f9436a2b846b60a7e4a9fcc0e5ab5eb69a55894e4924926ab8169
-
SSDEEP
6144:4royc25Q/6MZd+MZZ+07Xg2VM+I5dzmd3u8Ot/Q5xm552yy1tzH:Xb2eSMZVZ+Ac+ILaxuD96s2yot
Malware Config
Extracted
gcleaner
194.145.227.161
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
OnlyLogger payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2232-2-0x0000000000220000-0x0000000000269000-memory.dmp family_onlylogger behavioral1/memory/2232-3-0x0000000000400000-0x00000000023C4000-memory.dmp family_onlylogger behavioral1/memory/2232-4-0x0000000000400000-0x00000000023C4000-memory.dmp family_onlylogger -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1844 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2388 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2388 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.execmd.exedescription pid process target process PID 2232 wrote to memory of 1844 2232 f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe cmd.exe PID 2232 wrote to memory of 1844 2232 f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe cmd.exe PID 2232 wrote to memory of 1844 2232 f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe cmd.exe PID 2232 wrote to memory of 1844 2232 f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe cmd.exe PID 1844 wrote to memory of 2388 1844 cmd.exe taskkill.exe PID 1844 wrote to memory of 2388 1844 cmd.exe taskkill.exe PID 1844 wrote to memory of 2388 1844 cmd.exe taskkill.exe PID 1844 wrote to memory of 2388 1844 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "f4b6825221e1fa2c7e9f3d46917fa11d_JaffaCakes118.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2232-1-0x00000000024B0000-0x00000000025B0000-memory.dmpFilesize
1024KB
-
memory/2232-2-0x0000000000220000-0x0000000000269000-memory.dmpFilesize
292KB
-
memory/2232-3-0x0000000000400000-0x00000000023C4000-memory.dmpFilesize
31.8MB
-
memory/2232-4-0x0000000000400000-0x00000000023C4000-memory.dmpFilesize
31.8MB