Analysis
-
max time kernel
120s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 04:08
Behavioral task
behavioral1
Sample
fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe
-
Size
1003KB
-
MD5
fbe4974aa207ef2f714ce642844f897c
-
SHA1
0d9cb2ee644cbbae4269834ddb170f77c54c6de1
-
SHA256
9e7d2e49a7773ee727b01ddb33aadb73667597eaba21d9b90dd28e590c807643
-
SHA512
403a715fa56b0b70b92163efd9e96eae88a4d5d8ce3fa65fb592dfae94470719293ed7ccc918f61ed7c262a87c7d8392881496637160df3c74192635594b67ef
-
SSDEEP
24576:p07cC9czqokhdbkiAyb5/vGQoadai7D3uITjIFOxo53ApIj:p042c2okhdbkiAyb5/vGQ7ai7D3xTgOu
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2040 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2040 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 1640 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/1640-0-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral1/files/0x000900000001223d-11.dat upx behavioral1/memory/2040-18-0x0000000000400000-0x000000000065C000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 2 pastebin.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2900 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1640 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1640 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe 2040 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1640 wrote to memory of 2040 1640 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe 29 PID 1640 wrote to memory of 2040 1640 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe 29 PID 1640 wrote to memory of 2040 1640 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe 29 PID 1640 wrote to memory of 2040 1640 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe 29 PID 2040 wrote to memory of 2900 2040 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe 30 PID 2040 wrote to memory of 2900 2040 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe 30 PID 2040 wrote to memory of 2900 2040 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe 30 PID 2040 wrote to memory of 2900 2040 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe 30 PID 2040 wrote to memory of 2952 2040 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe 32 PID 2040 wrote to memory of 2952 2040 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe 32 PID 2040 wrote to memory of 2952 2040 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe 32 PID 2040 wrote to memory of 2952 2040 fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe 32 PID 2952 wrote to memory of 3020 2952 cmd.exe 34 PID 2952 wrote to memory of 3020 2952 cmd.exe 34 PID 2952 wrote to memory of 3020 2952 cmd.exe 34 PID 2952 wrote to memory of 3020 2952 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\fbe4974aa207ef2f714ce642844f897c_JaffaCakes118.exe" /TN MJu5Ub8Eff50 /F3⤵
- Creates scheduled task(s)
PID:2900
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN MJu5Ub8Eff50 > C:\Users\Admin\AppData\Local\Temp\lcvOjTJ.xml3⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN MJu5Ub8Eff504⤵PID:3020
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f23e4e030be524f2072c2f258e634767
SHA112e573f88fbb2fe84269d4c249e2f8176cd2210d
SHA25659f67899a588b7c018948f97ef9b7d6246493c7a11a6298e30d08896a1102c10
SHA5121151f258421fb8ce4b1adcfb9ed32be43a69c78ad190462abbe7c584f4560fea6b1e959436eab182f5c21dffad02e9b6c66593055eed95428d6e1195732fbcef
-
Filesize
1003KB
MD579aa222cef3bf6f8018c653a6bb11766
SHA151d2ac44985569d9082d0bf8055d6dc76321b038
SHA256afae7411b55f3b0f5f91cea3ca04bd445e89eb6a6d5a5b0359b43db9bd14890e
SHA5124f08da776f014be006b0c05bc2bc0c5d8c8eb9a5276e7f4d7d2c8018f81b92ee80d8bda85d35c5192f2b78dbe6ecaadcf5d4be07f9ed9461c52963a535dadf3f