e7e1de5c01ce0f5a7c4849e97ed38e2250dbb7bdb6859f0bd508546b2b22b091

Analysis

max time kernel
120s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 00:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
Size

4.4MB
MD5

f6e3534d4b6925a02d8ae9ef9d0a5366
SHA1

8f92a281482c2aee4405203b4b1c0521f3e459d6
SHA256

e7e1de5c01ce0f5a7c4849e97ed38e2250dbb7bdb6859f0bd508546b2b22b091
SHA512

4c9f208daab7560fd299bd4a2083f7a0868a02977b8ef42ca83185141c0746f8039abb7b0141e58ae1b3acd26326ff7e6f6f5325c50e44586c6f1324069a3698
SSDEEP

98304:MgiJMQBR6hSE6RMMmE5rHjRhrSmvltsygVz4bqJIYryaMcAClHq:9iJMbSJMfE5ZNWygt4b4JMmg

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 22 IoCs

pid	Process
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 6 IoCs

evasion

pid	Process
1640	taskkill.exe
2312	taskkill.exe
2784	taskkill.exe
2616	taskkill.exe
768	taskkill.exe
1700	taskkill.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2420	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	28
PID 1924 wrote to memory of 2420	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	28
PID 1924 wrote to memory of 2420	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	28
PID 1924 wrote to memory of 2420	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	28
PID 1924 wrote to memory of 2420	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	28
PID 1924 wrote to memory of 2420	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	28
PID 1924 wrote to memory of 2420	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	28
PID 2420 wrote to memory of 2312	2420	cmd.exe	30
PID 2420 wrote to memory of 2312	2420	cmd.exe	30
PID 2420 wrote to memory of 2312	2420	cmd.exe	30
PID 2420 wrote to memory of 2312	2420	cmd.exe	30
PID 2420 wrote to memory of 2312	2420	cmd.exe	30
PID 2420 wrote to memory of 2312	2420	cmd.exe	30
PID 2420 wrote to memory of 2312	2420	cmd.exe	30
PID 1924 wrote to memory of 2428	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	32
PID 1924 wrote to memory of 2428	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	32
PID 1924 wrote to memory of 2428	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	32
PID 1924 wrote to memory of 2428	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	32
PID 1924 wrote to memory of 2428	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	32
PID 1924 wrote to memory of 2428	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	32
PID 1924 wrote to memory of 2428	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	32
PID 2428 wrote to memory of 2784	2428	cmd.exe	34
PID 2428 wrote to memory of 2784	2428	cmd.exe	34
PID 2428 wrote to memory of 2784	2428	cmd.exe	34
PID 2428 wrote to memory of 2784	2428	cmd.exe	34
PID 2428 wrote to memory of 2784	2428	cmd.exe	34
PID 2428 wrote to memory of 2784	2428	cmd.exe	34
PID 2428 wrote to memory of 2784	2428	cmd.exe	34
PID 1924 wrote to memory of 1956	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	35
PID 1924 wrote to memory of 1956	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	35
PID 1924 wrote to memory of 1956	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	35
PID 1924 wrote to memory of 1956	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	35
PID 1924 wrote to memory of 1956	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	35
PID 1924 wrote to memory of 1956	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	35
PID 1924 wrote to memory of 1956	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	35
PID 1956 wrote to memory of 2616	1956	cmd.exe	37
PID 1956 wrote to memory of 2616	1956	cmd.exe	37
PID 1956 wrote to memory of 2616	1956	cmd.exe	37
PID 1956 wrote to memory of 2616	1956	cmd.exe	37
PID 1956 wrote to memory of 2616	1956	cmd.exe	37
PID 1956 wrote to memory of 2616	1956	cmd.exe	37
PID 1956 wrote to memory of 2616	1956	cmd.exe	37
PID 1924 wrote to memory of 2132	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	38
PID 1924 wrote to memory of 2132	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	38
PID 1924 wrote to memory of 2132	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	38
PID 1924 wrote to memory of 2132	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	38
PID 1924 wrote to memory of 2132	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	38
PID 1924 wrote to memory of 2132	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	38
PID 1924 wrote to memory of 2132	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	38
PID 2132 wrote to memory of 768	2132	cmd.exe	40
PID 2132 wrote to memory of 768	2132	cmd.exe	40
PID 2132 wrote to memory of 768	2132	cmd.exe	40
PID 2132 wrote to memory of 768	2132	cmd.exe	40
PID 2132 wrote to memory of 768	2132	cmd.exe	40
PID 2132 wrote to memory of 768	2132	cmd.exe	40
PID 2132 wrote to memory of 768	2132	cmd.exe	40
PID 1924 wrote to memory of 1960	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	41
PID 1924 wrote to memory of 1960	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	41
PID 1924 wrote to memory of 1960	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	41
PID 1924 wrote to memory of 1960	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	41
PID 1924 wrote to memory of 1960	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	41
PID 1924 wrote to memory of 1960	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	41
PID 1924 wrote to memory of 1960	1924	f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe	41
PID 1960 wrote to memory of 1700	1960	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6e3534d4b6925a02d8ae9ef9d0a5366_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "Funshion.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Funshion.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FSPServer.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FSPServer.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionService.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionService.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "Updater.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "Updater.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpdate.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionUpdate.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpgrade.exe"
  2⤵
  PID:924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "FunshionUpgrade.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst696F.tmp\System.dll

Filesize
10KB

MD5
4eff5fafd746f5decb93a44e3a3d570c

SHA1
a11aa7681b7e2df1c7f7492a127d332d1495ea8a

SHA256
cf61ddd15d63c25a12caee70f51ea736cfc02195c42e56ee01b33f689d3754c5

SHA512
cde82d2a1f28506e4c2264f6b82017a00af32f138ebcdbaf4cc58463870fa626f708aa57465294c5a6f096c886841e7b9112b85bf3ea2f1d8f2da816b51b2d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst696F.tmp\WelcomePage.ini

Filesize
126B

MD5
35e4b01a17602245e12abbc306e3613a

SHA1
4624562000e4fc68b436adcddf6cae7db8d5cb8c

SHA256
b886699e29278b684f76da55532f1e31640bca631165eb664ded5e43cc79f7db

SHA512
1d846ba4cd93262e217dd937f18042c27875a31fed0751055c94111d16e475e795e77aa0023d2d29f5f476347ba97344d73ff7af17e42aabfc37246218ddc09e

Download Submit
\Users\Admin\AppData\Local\Temp\nst696F.tmp\ExecCmd.dll

Filesize
4KB

MD5
b9380b0bea8854fd9f93cc1fda0dfeac

SHA1
edb8d58074e098f7b5f0d158abedc7fc53638618

SHA256
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244

SHA512
45c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c

Download Submit
\Users\Admin\AppData\Local\Temp\nst696F.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nst696F.tmp\InstallOptions.dll

Filesize
12KB

MD5
1d5c649dde35003a618b9679d5d71b92

SHA1
0409bbab3ab34f8c01289cdd847b4d1a32d05b18

SHA256
0f4d3cee24e3f310fa804983c931d3628613988a24f0be7854f63a9309b8e45f

SHA512
b432ebcc52905662d61a3f17e08e209a3f9d836a9071b3b5e80070af7ebcf34cf66c44426dda041c2a258fda4787e5692e2b35acbcd73288fb84fe3c977bbfd9

Download Submit
\Users\Admin\AppData\Local\Temp\nst696F.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit