Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
18/04/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe
-
Size
23.5MB
-
MD5
7b6d02a459fdaa4caa1a5bf741c4bd42
-
SHA1
4eea45c22881a092ac7a8b0a5379076d5803e83e
-
SHA256
f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3
-
SHA512
d8d67ba37263832e7f7d0a945a04afe3d9cea24e78a2d82b00463a2ab575ddb0b53f020c9967391c8469a831c3205f68d010d752a17419d7c2bb34ae8dc55384
-
SSDEEP
393216:zCTLRrqyYTljCQppkgSGlNoggc7k18J1unrY+M4ZtquYfZZrjMaDF1i:zCTLI3TZCQKGlZgc7k181W7fFOjMQ1i
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2804 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2504 NXTPKIENTS.exe 2508 NXTPKIENTS.tmp -
Loads dropped DLL 2 IoCs
pid Process 2592 rundll32.exe 2504 NXTPKIENTS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 8 IoCs
pid Process 2584 taskkill.exe 768 taskkill.exe 1704 taskkill.exe 2628 taskkill.exe 2420 taskkill.exe 824 taskkill.exe 2892 taskkill.exe 2948 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2592 rundll32.exe 2592 rundll32.exe 3004 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2508 NXTPKIENTS.tmp -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2420 taskkill.exe Token: SeDebugPrivilege 824 taskkill.exe Token: SeDebugPrivilege 2892 taskkill.exe Token: SeDebugPrivilege 2948 taskkill.exe Token: SeDebugPrivilege 2584 taskkill.exe Token: SeDebugPrivilege 768 taskkill.exe Token: SeDebugPrivilege 1704 taskkill.exe Token: SeDebugPrivilege 2628 taskkill.exe Token: SeDebugPrivilege 3004 powershell.exe -
Suspicious use of WriteProcessMemory 61 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2804 1724 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 28 PID 1724 wrote to memory of 2804 1724 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 28 PID 1724 wrote to memory of 2804 1724 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 28 PID 1724 wrote to memory of 2592 1724 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 29 PID 1724 wrote to memory of 2592 1724 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 29 PID 1724 wrote to memory of 2592 1724 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 29 PID 1724 wrote to memory of 2504 1724 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2504 1724 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2504 1724 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2504 1724 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2504 1724 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2504 1724 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2504 1724 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe 31 PID 2504 wrote to memory of 2508 2504 NXTPKIENTS.exe 32 PID 2504 wrote to memory of 2508 2504 NXTPKIENTS.exe 32 PID 2504 wrote to memory of 2508 2504 NXTPKIENTS.exe 32 PID 2504 wrote to memory of 2508 2504 NXTPKIENTS.exe 32 PID 2504 wrote to memory of 2508 2504 NXTPKIENTS.exe 32 PID 2504 wrote to memory of 2508 2504 NXTPKIENTS.exe 32 PID 2504 wrote to memory of 2508 2504 NXTPKIENTS.exe 32 PID 2592 wrote to memory of 2572 2592 rundll32.exe 33 PID 2592 wrote to memory of 2572 2592 rundll32.exe 33 PID 2592 wrote to memory of 2572 2592 rundll32.exe 33 PID 2508 wrote to memory of 2420 2508 NXTPKIENTS.tmp 35 PID 2508 wrote to memory of 2420 2508 NXTPKIENTS.tmp 35 PID 2508 wrote to memory of 2420 2508 NXTPKIENTS.tmp 35 PID 2508 wrote to memory of 2420 2508 NXTPKIENTS.tmp 35 PID 2508 wrote to memory of 824 2508 NXTPKIENTS.tmp 38 PID 2508 wrote to memory of 824 2508 NXTPKIENTS.tmp 38 PID 2508 wrote to memory of 824 2508 NXTPKIENTS.tmp 38 PID 2508 wrote to memory of 824 2508 NXTPKIENTS.tmp 38 PID 2508 wrote to memory of 2892 2508 NXTPKIENTS.tmp 40 PID 2508 wrote to memory of 2892 2508 NXTPKIENTS.tmp 40 PID 2508 wrote to memory of 2892 2508 NXTPKIENTS.tmp 40 PID 2508 wrote to memory of 2892 2508 NXTPKIENTS.tmp 40 PID 2508 wrote to memory of 2948 2508 NXTPKIENTS.tmp 42 PID 2508 wrote to memory of 2948 2508 NXTPKIENTS.tmp 42 PID 2508 wrote to memory of 2948 2508 NXTPKIENTS.tmp 42 PID 2508 wrote to memory of 2948 2508 NXTPKIENTS.tmp 42 PID 2508 wrote to memory of 2584 2508 NXTPKIENTS.tmp 44 PID 2508 wrote to memory of 2584 2508 NXTPKIENTS.tmp 44 PID 2508 wrote to memory of 2584 2508 NXTPKIENTS.tmp 44 PID 2508 wrote to memory of 2584 2508 NXTPKIENTS.tmp 44 PID 2508 wrote to memory of 768 2508 NXTPKIENTS.tmp 46 PID 2508 wrote to memory of 768 2508 NXTPKIENTS.tmp 46 PID 2508 wrote to memory of 768 2508 NXTPKIENTS.tmp 46 PID 2508 wrote to memory of 768 2508 NXTPKIENTS.tmp 46 PID 2508 wrote to memory of 1704 2508 NXTPKIENTS.tmp 48 PID 2508 wrote to memory of 1704 2508 NXTPKIENTS.tmp 48 PID 2508 wrote to memory of 1704 2508 NXTPKIENTS.tmp 48 PID 2508 wrote to memory of 1704 2508 NXTPKIENTS.tmp 48 PID 2508 wrote to memory of 2628 2508 NXTPKIENTS.tmp 50 PID 2508 wrote to memory of 2628 2508 NXTPKIENTS.tmp 50 PID 2508 wrote to memory of 2628 2508 NXTPKIENTS.tmp 50 PID 2508 wrote to memory of 2628 2508 NXTPKIENTS.tmp 50 PID 2592 wrote to memory of 3028 2592 rundll32.exe 54 PID 2592 wrote to memory of 3028 2592 rundll32.exe 54 PID 2592 wrote to memory of 3028 2592 rundll32.exe 54 PID 2592 wrote to memory of 3004 2592 rundll32.exe 55 PID 2592 wrote to memory of 3004 2592 rundll32.exe 55 PID 2592 wrote to memory of 3004 2592 rundll32.exe 55 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\C7F.tmp.bat2⤵
- Deletes itself
PID:2804
-
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe "C:\Users\Admin\AppData\Roaming\Hancom\hc-f8002b32.png" limsjo2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "ChromeUpdateTaskMachineUAC"3⤵PID:2572
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "ChromeUpdateTaskMachineUAC"3⤵PID:3028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy bypass -File "C:\Users\Admin\.tmp\3205861455.ps1"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
-
C:\Users\Admin\AppData\Local\Temp\NXTPKIENTS.exe"C:\Users\Admin\AppData\Local\Temp\NXTPKIENTS.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\is-1ED18.tmp\NXTPKIENTS.tmp"C:\Users\Admin\AppData\Local\Temp\is-1ED18.tmp\NXTPKIENTS.tmp" /SL5="$50108,6291726,231424,C:\Users\Admin\AppData\Local\Temp\NXTPKIENTS.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM iexplore.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM firefox.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM opera.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM safari.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM MicrosoftEdge.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM msedge.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM NXTPKIENTSI.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
266B
MD5ac25a41868ffe2fbb543b019fecb029a
SHA1e180d40336a34e0676c2489e690dd2dbcb9ba21c
SHA25670cb6fa136134300d560145f46304b7a96d4ec36cc34f81fb91e835c8d4dc49d
SHA512a5a7b8e145be753f1212b7a9b5cca54eb49a837ec3329273eecdceeac20da155c33514a6116b40c03179ca39a0a3cb253985f4a87d5a4e0176a3047de36398ec
-
Filesize
462B
MD5104c57efa8f00f8769bf33227bae5dc4
SHA1af99397ca760b417e2a3eaa55ad3d44bde16f315
SHA2560069c041fb5e8bfe9b244805a4e6840fef9830649ed6d7bea596641de3b8264b
SHA5122787e0ef41d45c08c610f8352865f9c89802bddcc545ae0c64de5ba2b2e7cdebdecd9f63d19f3c033a5bee2d7a53024e5cd3a386827d9895c249a75e4b86c56e
-
Filesize
6.3MB
MD5eb8d073840e95cf24c9c3f5a2b6470e0
SHA12399567292f1e81630997fb4a151786d3e4938bb
SHA2560dd9aa5b650f519a55c96bf0dee73162d9ba510b60521780c34811de25cd7bb6
SHA5121347d8898b3e405c3de0ac90ea2880e215b745a58275b6ad8c027fa75c1f449949e7d77f820bb9bca445982b13c9f05f20ae6824445830ff7e65c71d12b18a8e
-
Filesize
8.6MB
MD588f183304b99c897aacfa321d58e1840
SHA14a705f58918c00431de453d5b5f621fa42ff7169
SHA25661b8fbea8c0dfa337eb7ff978124ddf496d0c5f29bcb5672f3bd3d6bf832ac92
SHA5128005d45f6b8321a3a925308c9f5683b868ad7f78cd37be619500d25a1ddd45d282d91ce8275300486c0397b4aefba78b9cd67d4cd50e763e3ca51dffc67c6115
-
Filesize
1B
MD54c761f170e016836ff84498202b99827
SHA1fb3c6e4de85bd9eae26fdc63e75f10a7f39e850e
SHA2567ace431cb61584cb9b8dc7ec08cf38ac0a2d649660be86d349fb43108b542fa4
SHA51219d147676eb275f0f0125762f223719fde9958859f5400cc34e2887b64a26d96c3c4f9d5c0fbbda48f22820d4415a68a4fdb99028b3ba19778873a7125e56477
-
Filesize
871KB
MD5bba6e056a5595fd2d9b50cce5ce602a1
SHA11405ba0d049270b5013a8ce79c879c781a140245
SHA2565ac7e37459228cb19d9be74e24a4963c28222d8ed2665caa8857ba1c9105401a
SHA5125a9e86396355e0681b8d2e6c464dc3cb22e96ac6d2d1ededbd96c1de6c05eb2d943ced98985d6ff805d1a42dee256d91e4502edc0e4020f1e990224d5a4d9b05