Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 10:00
Static task
static1
Behavioral task
behavioral1
Sample
fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe
-
Size
287KB
-
MD5
fc8034de56341633f29ae81ac270b9bc
-
SHA1
30be16c3e4e908a80760e3652588a4721685e94d
-
SHA256
bd839030a526313dc365b4f43eebec68aba9684d36e5e3f6c2decd87e236d32c
-
SHA512
d5ee8b65d614f42d646f9af3c2ca8332faa2b6ef9e0f35b062062f57a02f2385d9983e627c6cce421a0eb774deb5c948927b2118760a118758c5103090fd95d4
-
SSDEEP
6144:Xf6Lg8gDnsD3YfaQsu39xN23T6ruCj06BtqkGY9hJRmKaB:uX3ELvNOT6qCj0YtqkRBQK
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe -
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
Processes:
96B4.tmppid process 1244 96B4.tmp -
Loads dropped DLL 2 IoCs
Processes:
fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exepid process 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2272-1-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2272-3-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1796-14-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1796-13-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2272-16-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2272-178-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1604-181-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2272-184-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2272-314-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2272-320-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\090.exe = "C:\\Program Files (x86)\\LP\\152A\\090.exe" fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
Processes:
fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\LP\152A\96B4.tmp fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\152A\090.exe fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe File created C:\Program Files (x86)\LP\152A\090.exe fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exepid process 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1884 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
msiexec.exeexplorer.exedescription pid process Token: SeRestorePrivilege 2680 msiexec.exe Token: SeTakeOwnershipPrivilege 2680 msiexec.exe Token: SeSecurityPrivilege 2680 msiexec.exe Token: SeShutdownPrivilege 1884 explorer.exe Token: SeShutdownPrivilege 1884 explorer.exe Token: SeShutdownPrivilege 1884 explorer.exe Token: SeShutdownPrivilege 1884 explorer.exe Token: SeShutdownPrivilege 1884 explorer.exe Token: SeShutdownPrivilege 1884 explorer.exe Token: SeShutdownPrivilege 1884 explorer.exe Token: SeShutdownPrivilege 1884 explorer.exe Token: SeShutdownPrivilege 1884 explorer.exe Token: SeShutdownPrivilege 1884 explorer.exe Token: SeShutdownPrivilege 1884 explorer.exe Token: SeShutdownPrivilege 1884 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
explorer.exepid process 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe 1884 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exedescription pid process target process PID 2272 wrote to memory of 1796 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe PID 2272 wrote to memory of 1796 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe PID 2272 wrote to memory of 1796 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe PID 2272 wrote to memory of 1796 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe PID 2272 wrote to memory of 1604 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe PID 2272 wrote to memory of 1604 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe PID 2272 wrote to memory of 1604 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe PID 2272 wrote to memory of 1604 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe PID 2272 wrote to memory of 1244 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 96B4.tmp PID 2272 wrote to memory of 1244 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 96B4.tmp PID 2272 wrote to memory of 1244 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 96B4.tmp PID 2272 wrote to memory of 1244 2272 fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe 96B4.tmp -
System policy modification 1 TTPs 2 IoCs
Processes:
fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\A55FD\74715.exe%C:\Users\Admin\AppData\Roaming\A55FD2⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fc8034de56341633f29ae81ac270b9bc_JaffaCakes118.exe startC:\Program Files (x86)\FDEC6\lvvm.exe%C:\Program Files (x86)\FDEC62⤵PID:1604
-
C:\Program Files (x86)\LP\152A\96B4.tmp"C:\Program Files (x86)\LP\152A\96B4.tmp"2⤵
- Executes dropped EXE
PID:1244
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1884
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\A55FD\DEC6.55FFilesize
996B
MD50dc5ba34cc18fd5d54e201a87768dc67
SHA19157006f39345f5f17dd2d9c652163586796fdf1
SHA256790edbda5e29ec4c4f31667397cc80d10640995951de5eb61b0850c8e2763c35
SHA512fd77d57b52d6bc72b5bcc128ac6ddb572443559b99e5d177be3cefda1e63e6ee464d14036a92da291bee28aac55b47ee0ef9bc1ba02c0311a3b5c473c54bf7d6
-
C:\Users\Admin\AppData\Roaming\A55FD\DEC6.55FFilesize
600B
MD51998e09d824aa8ff2d4e7d90aa4218d5
SHA1a3274d0d3d2abc1f1f0a1f4c5cfb21604c8d6982
SHA2564e95bca65970cd06dc1ee5c53183df84d090872d26d139f83ebe54cc96096128
SHA512bc7a1d4e4ede8405136490d0ca8e68f03963f5f99fe6f2b2aaa667538b10374e7a11657b44f59becf62cf830e8cd52de011334f2aa0573c04e43f54e2d8c1309
-
C:\Users\Admin\AppData\Roaming\A55FD\DEC6.55FFilesize
1KB
MD5279af2fe1796afd415e35549a489f105
SHA1f2277450b2dc0ae4f0fd34fd5f8dcc978cf6f542
SHA2566fcd8ff0de08403583665b909c3f8119edbab0d40372fa58c47294e6134bee56
SHA512e8f1205adb567ed374adad20463ca601f51e1ad454cf6bae73bfc18628499afc1d9150b4485ebabd1db0b7c10557c2477040e8818fb128bab9abdb9578251880
-
\Program Files (x86)\LP\152A\96B4.tmpFilesize
102KB
MD5cb16a66b993b390f22b1d27172b1c6c4
SHA1b1ca81cf610806db8c6b9c3e438bec6dbe322237
SHA256313e3e8871c869a745b1d116e6b8361610690f209fb28498553bada6dac4010a
SHA512a776c7ca7c1a58a5e10c6f926d470b0a725eac07a9e9281f3c6901d32eecc3a19105c7a463972613150d794c64bdef04da29cf0e573367f2c0a92938c36366f8
-
memory/1244-315-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1244-312-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1244-313-0x0000000000270000-0x0000000000370000-memory.dmpFilesize
1024KB
-
memory/1604-181-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1604-182-0x0000000001D50000-0x0000000001D98000-memory.dmpFilesize
288KB
-
memory/1796-13-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1796-14-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1796-15-0x0000000001E80000-0x0000000001EC8000-memory.dmpFilesize
288KB
-
memory/1884-183-0x00000000045A0000-0x00000000045A1000-memory.dmpFilesize
4KB
-
memory/1884-317-0x00000000045A0000-0x00000000045A1000-memory.dmpFilesize
4KB
-
memory/2272-179-0x0000000001E30000-0x0000000001F30000-memory.dmpFilesize
1024KB
-
memory/2272-184-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2272-1-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2272-16-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2272-178-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2272-3-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2272-314-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2272-2-0x0000000001E30000-0x0000000001F30000-memory.dmpFilesize
1024KB
-
memory/2272-320-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB