Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/04/2024, 07:01
Static task
static1
Behavioral task
behavioral1
Sample
f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe
-
Size
456KB
-
MD5
f9c314deffc6ad255a00239c8a6e2da8
-
SHA1
a0165f8fe3ea96f80cb4a83d07aea75284f060e3
-
SHA256
072253aa1c91cbbb84fec7939caa7e219446714a9e4a9849519a614dc4c6ba8a
-
SHA512
01fac65c0f113f018c8af496feb5d965cc01cb9235c3168430c00714aa0dedd264524000085e3f861ad0a5ba7a3faf691dec45234e58a076351dbb1c618bfacd
-
SSDEEP
12288:ftSj2nNYDHQBUWqCmBby7qkCPlgIzUAuk:lSEaHSIOn/IL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2752 mM01805KmCnF01805.exe -
Executes dropped EXE 1 IoCs
pid Process 2752 mM01805KmCnF01805.exe -
Loads dropped DLL 2 IoCs
pid Process 1308 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 1308 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/1308-1-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/1308-17-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2752-30-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2752-40-0x0000000000400000-0x00000000004C1000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mM01805KmCnF01805 = "C:\\ProgramData\\mM01805KmCnF01805\\mM01805KmCnF01805.exe" mM01805KmCnF01805.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main mM01805KmCnF01805.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1308 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1308 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe Token: SeDebugPrivilege 2752 mM01805KmCnF01805.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2752 mM01805KmCnF01805.exe 2752 mM01805KmCnF01805.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1308 wrote to memory of 2752 1308 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 28 PID 1308 wrote to memory of 2752 1308 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 28 PID 1308 wrote to memory of 2752 1308 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 28 PID 1308 wrote to memory of 2752 1308 f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\ProgramData\mM01805KmCnF01805\mM01805KmCnF01805.exe"C:\ProgramData\mM01805KmCnF01805\mM01805KmCnF01805.exe" "C:\Users\Admin\AppData\Local\Temp\f9c314deffc6ad255a00239c8a6e2da8_JaffaCakes118.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD547225d69b165811fcf9141c693352efe
SHA16f0534fdcd999d20f0226c331b10ec1a31e67638
SHA25673cba9bfec12d61e516c3b8f4746ae3994628f774a2866341ac9e3b827b4afe8
SHA512bf9ec8f5be9cc6f752dc0cd04df685b58d8a4c5190e82526f459669ce46a0956888297a97e3d9c59ce69f606063d2e90fff736ed7a513c5b9fc3ba6e3a7acba3