Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 14:44
Static task
static1
Behavioral task
behavioral1
Sample
fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe
-
Size
78KB
-
MD5
fcffb4ce16c89877980e21fd9e6bf210
-
SHA1
e5ca389588a27d36979c1e9b4a71baab28808ff3
-
SHA256
5306838a2fb211bb013a385545077a0154f1c55175ab5c75cc92a44da17c644d
-
SHA512
101e7a0a3bb8ce0a69f45a73d6116027715db9b97e681c0f023256eeb493936010f7319acbf5c9093db09e06ac38b0e28f8bf872ce72a6493672752dfb6abe3f
-
SSDEEP
1536:UtHHrdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtPk9/cr1aM:UtHLdSE2EwR4uY41HyvYPk9/u
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
tmpD78.tmp.exepid process 2656 tmpD78.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exepid process 1700 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe 1700 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpD78.tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmpD78.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exetmpD78.tmp.exedescription pid process Token: SeDebugPrivilege 1700 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe Token: SeDebugPrivilege 2656 tmpD78.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exevbc.exedescription pid process target process PID 1700 wrote to memory of 2076 1700 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe vbc.exe PID 1700 wrote to memory of 2076 1700 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe vbc.exe PID 1700 wrote to memory of 2076 1700 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe vbc.exe PID 1700 wrote to memory of 2076 1700 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe vbc.exe PID 2076 wrote to memory of 2568 2076 vbc.exe cvtres.exe PID 2076 wrote to memory of 2568 2076 vbc.exe cvtres.exe PID 2076 wrote to memory of 2568 2076 vbc.exe cvtres.exe PID 2076 wrote to memory of 2568 2076 vbc.exe cvtres.exe PID 1700 wrote to memory of 2656 1700 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe tmpD78.tmp.exe PID 1700 wrote to memory of 2656 1700 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe tmpD78.tmp.exe PID 1700 wrote to memory of 2656 1700 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe tmpD78.tmp.exe PID 1700 wrote to memory of 2656 1700 fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe tmpD78.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\haavaogf.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE35.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE34.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fcffb4ce16c89877980e21fd9e6bf210_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESE35.tmpFilesize
1KB
MD51593712e196ac55209f859f94b62f469
SHA1d9662d56c98b6b296a921d9f9d1a1b903e37c891
SHA256185cb1ebaee26f65a72916aa9f17515072bb861e6a0e3f55c2158ab1a0bb5d2c
SHA512433ce2c561b177a5a097732c3d84eeb937c4bada8c9949fca643d13e08f9b82f7f3003f45131a50dd9c6118dc19bf35937d6ce99ff5e5add9a525411a990b0d5
-
C:\Users\Admin\AppData\Local\Temp\haavaogf.0.vbFilesize
15KB
MD512305af3b221139e1982b7c4549e7550
SHA1cc5f544d013edf9a84ac27cf2c9bb9601001c7c8
SHA25655d67965b99685561e360d14a1486affb1eab3bf25ef56dfb8faab34b5da3b12
SHA512fcf1960e648cd0daa1186768e50cb9b2b7b2cf14c4d65ffca40f6532683be660b4180148d64740a7fb690563a5bf57bb0777e578a9af474d169ac7511cccdd80
-
C:\Users\Admin\AppData\Local\Temp\haavaogf.cmdlineFilesize
265B
MD51c1e4550cf39eb32c870e2be64a2f5c7
SHA1e2e81eef1863efcd1373125f93779a63759927ee
SHA25684a6857bf473fc753467904e760ac6fb517721c5cb17021c71a007b87f4ff0e9
SHA512d22a7058780c740635859390182b6ab3e4ab794689f5fbfef1823af2b0040eff0cddca8ab008d2c90bae5387aad7c746bad1164a625715d9918996cf9896a73b
-
C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exeFilesize
78KB
MD5e0f582179ed79c6a7a109603defba5b9
SHA1a4b1f864fb51841c9e6a93d7564685554ea0fac2
SHA2566a582bb61aa7e8857536503e87ac3cef6cb2f49329adb32b62c6083d57c04690
SHA5127adcd559025dcf32eb63a0530afb7360659ade641ac85d1ac0a3c18ef0437e42368f436a6d59cd45f927eb4e45f7a4f29069333469986206c0396301f5622dd9
-
C:\Users\Admin\AppData\Local\Temp\vbcE34.tmpFilesize
660B
MD5469bc564a8621266d22479cfe5844a6d
SHA1d3c02e5e012477001df0f85046acd0c55cb6e1f8
SHA256b6c3a4d18476cbcfe2dccd615e9a51b15743b9a3f14aabec7a9f814de85116ba
SHA512c778728a37bb53bbf274f261ad1c89b9d25f541a20b9dec39dcfaa3c8765c312e81708ea66381b0a3a2d8426347e40759c9b274037399fd1024e7aa376000002
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809
-
memory/1700-2-0x00000000746F0000-0x0000000074C9B000-memory.dmpFilesize
5.7MB
-
memory/1700-1-0x00000000020A0000-0x00000000020E0000-memory.dmpFilesize
256KB
-
memory/1700-0-0x00000000746F0000-0x0000000074C9B000-memory.dmpFilesize
5.7MB
-
memory/1700-22-0x00000000746F0000-0x0000000074C9B000-memory.dmpFilesize
5.7MB
-
memory/2656-23-0x00000000746F0000-0x0000000074C9B000-memory.dmpFilesize
5.7MB
-
memory/2656-24-0x00000000002F0000-0x0000000000330000-memory.dmpFilesize
256KB
-
memory/2656-25-0x00000000746F0000-0x0000000074C9B000-memory.dmpFilesize
5.7MB
-
memory/2656-27-0x00000000002F0000-0x0000000000330000-memory.dmpFilesize
256KB
-
memory/2656-29-0x00000000002F0000-0x0000000000330000-memory.dmpFilesize
256KB
-
memory/2656-28-0x00000000746F0000-0x0000000074C9B000-memory.dmpFilesize
5.7MB
-
memory/2656-30-0x00000000002F0000-0x0000000000330000-memory.dmpFilesize
256KB