Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/04/2024, 04:05
Static task
static1
Behavioral task
behavioral1
Sample
fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fbe353546e6e4500b13204985f674417_JaffaCakes118.exe
-
Size
994KB
-
MD5
fbe353546e6e4500b13204985f674417
-
SHA1
9b18b4cef1013c4a75792f4ea8d06b7bb752c290
-
SHA256
5da53f51769b8ec07bedd2938871448487f209c80e63a11b30db409a1829ccc1
-
SHA512
d3db489225b6ecb39d93aeae7b40fd83d95d28d4f13c972b04d34dfa6abb05112114c90f3b9d1498388cf2bf56dd1f595a57317c4618a8076a1fe068fdb340d8
-
SSDEEP
12288:EHj4044T3b+mO2+sPQ3GWWJoOEqxEH2w2rnF8TN4Ho2I1D/+KH6R1/VxZaZBNjyy:M809T3/ixHWG72y2rnF8TKI2kMdxELNp
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\SET19C8.tmp fbe353546e6e4500b13204985f674417_JaffaCakes118.exe File created C:\Windows\system32\DRIVERS\SET19C8.tmp fbe353546e6e4500b13204985f674417_JaffaCakes118.exe File opened for modification C:\Windows\system32\DRIVERS\Mslmedia.sys fbe353546e6e4500b13204985f674417_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2652 cmd.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\hllog.txt fbe353546e6e4500b13204985f674417_JaffaCakes118.exe File created C:\Windows\Setupsti.log fbe353546e6e4500b13204985f674417_JaffaCakes118.exe File opened for modification C:\Windows\INF\setupapi.app.log fbe353546e6e4500b13204985f674417_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2596 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeAuditPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeBackupPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeCreatePermanentPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeCreateTokenPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeLockMemoryPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeRestorePrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeSecurityPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeShutdownPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeSystemtimePrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeTcbPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeMachineAccountPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeDebugPrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeRestorePrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeRestorePrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeRestorePrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeRestorePrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeRestorePrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeRestorePrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe Token: SeRestorePrivilege 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2652 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe 28 PID 2372 wrote to memory of 2652 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe 28 PID 2372 wrote to memory of 2652 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe 28 PID 2372 wrote to memory of 2652 2372 fbe353546e6e4500b13204985f674417_JaffaCakes118.exe 28 PID 2652 wrote to memory of 2596 2652 cmd.exe 30 PID 2652 wrote to memory of 2596 2652 cmd.exe 30 PID 2652 wrote to memory of 2596 2652 cmd.exe 30 PID 2652 wrote to memory of 2596 2652 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbe353546e6e4500b13204985f674417_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fbe353546e6e4500b13204985f674417_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_lm_delself_.bat" "2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\PING.EXEC:\Windows\system32\ping.exe 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2596
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146B
MD5f8bf2cff95a98e4c9c9c4f3b4b60f58c
SHA1cd06c7b3415ca56a6e2a937555655502d2ff1308
SHA2563d53cfb03d4aea581bda9c632a509039862d22ad2a9173d10ee8aea0b8b70920
SHA512cdcd7d6024cd125bc9969df3d5d7992618080db2ea07d84b795c1377943d7c9776ffd9be83ac58303768514d043a0c0379730713306d27ed4524424d2d0dc0a0
-
Filesize
22KB
MD59a78e22cc4623898b5b8908c40988529
SHA16f84342817c26d97cd9eb416ebea2f83509546cd
SHA2569a0e4e71448129e9f1585649ff76d317553a10723abab7216f6bea4a413db82a
SHA51288c3899adaf1d7e24dce564803141a9aa05035e29e238f47722d9233e6f352d5583b8d80fba471e842145246b9940bf37b9db06436ecf1a3f164b13b62b9373b