Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 20:37
Static task
static1
Behavioral task
behavioral1
Sample
fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
fd98e0c2a8558c0a96ef150eb111c45e
-
SHA1
6d803347797695be2f83000e4b363d30ae8d2aa9
-
SHA256
2e5f7852f8c8fe9f8bfb227a213c5ae9be86a53987866a37c66fcc83046a3e92
-
SHA512
7efa3783333e3da291b6eee4f1eedc21a2752b6ee7f8fc72a99ccad2414fbadca30e7162fc9c48b988cb66aec81ad29c0bf4cf484edc1bde8a808c24327ecb0c
-
SSDEEP
12288:KZb+woHUIZI+DkVurXnnW2aLkEgB1BqKSKXxDL6nF/8ixtBQ4Tdu3qHFVJJmVxS9:wTIZ9RznnWuEgfIO8xC3egSY8
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2928 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
LocalJFiRTpkrdv.exeLocaldOwXcLcKGH..exepid process 1196 LocalJFiRTpkrdv.exe 2764 LocaldOwXcLcKGH..exe -
Loads dropped DLL 1 IoCs
Processes:
LocaldOwXcLcKGH..exepid process 2764 LocaldOwXcLcKGH..exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
LocalJFiRTpkrdv.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b2c41a500900e95b9bf67ec858345ab = "\"C:\\Users\\Admin\\AppData\\LocalJFiRTpkrdv.exe\" .." LocalJFiRTpkrdv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b2c41a500900e95b9bf67ec858345ab = "\"C:\\Users\\Admin\\AppData\\LocalJFiRTpkrdv.exe\" .." LocalJFiRTpkrdv.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
LocaldOwXcLcKGH..exedescription ioc process File opened (read-only) \??\F: LocaldOwXcLcKGH..exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
LocaldOwXcLcKGH..exedescription ioc process File opened for modification \??\PhysicalDrive0 LocaldOwXcLcKGH..exe -
Drops file in Windows directory 2 IoCs
Processes:
fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 55 IoCs
Processes:
LocalJFiRTpkrdv.exedescription pid process Token: SeDebugPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe Token: 33 1196 LocalJFiRTpkrdv.exe Token: SeIncBasePriorityPrivilege 1196 LocalJFiRTpkrdv.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exeLocalJFiRTpkrdv.exedescription pid process target process PID 3040 wrote to memory of 1196 3040 fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe LocalJFiRTpkrdv.exe PID 3040 wrote to memory of 1196 3040 fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe LocalJFiRTpkrdv.exe PID 3040 wrote to memory of 1196 3040 fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe LocalJFiRTpkrdv.exe PID 3040 wrote to memory of 2764 3040 fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe LocaldOwXcLcKGH..exe PID 3040 wrote to memory of 2764 3040 fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe LocaldOwXcLcKGH..exe PID 3040 wrote to memory of 2764 3040 fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe LocaldOwXcLcKGH..exe PID 3040 wrote to memory of 2764 3040 fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe LocaldOwXcLcKGH..exe PID 1196 wrote to memory of 2928 1196 LocalJFiRTpkrdv.exe netsh.exe PID 1196 wrote to memory of 2928 1196 LocalJFiRTpkrdv.exe netsh.exe PID 1196 wrote to memory of 2928 1196 LocalJFiRTpkrdv.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd98e0c2a8558c0a96ef150eb111c45e_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\LocalJFiRTpkrdv.exe"C:\Users\Admin\AppData\LocalJFiRTpkrdv.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\LocalJFiRTpkrdv.exe" "LocalJFiRTpkrdv.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\LocaldOwXcLcKGH..exe"C:\Users\Admin\AppData\LocaldOwXcLcKGH..exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalJFiRTpkrdv.exeFilesize
99KB
MD5121ffbd73501445f6d92bd8926c601d0
SHA1f286e21fdabb2df748591d4339d815c13f60ffd0
SHA25651357a4e625b3c94fe6047f3c5152efd1cbd4d9e8530e3ce14c54984ceb95561
SHA512368a30e330a364b653e8acf0feadd6f50ea757f872d0e85bde280e23e2ad4ebf9f604c8df2e679c8aa971135abac090490f3efee03dbe312531e0f1976f2464d
-
C:\Users\Admin\AppData\LocaldOwXcLcKGH..exeFilesize
1.5MB
MD5ab22f6d86627ff7cd3ecb8bad27fa041
SHA1f020d4c5aa9778d97dd20e7d3a486951c7f4e0af
SHA256e4ad01ce4e61a35a3a5bfd8161a629d3a77c25b78257a79e2cf8656084f9e8c1
SHA5121501aa4f2ff3417a7e7ecb721163c43f720e1f785bea0d673028ac20a86009c7fa89f38530cfad26d556b37de3f291cef753ce472f961ed4696771d07fef493c
-
\Users\Admin\AppData\Local\Tencent\TxGameAssistant\TGBDownloader\dr.dllFilesize
74KB
MD52814acbd607ba47bdbcdf6ac3076ee95
SHA150ab892071bed2bb2365ca1d4bf5594e71c6b13b
SHA2565904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67
SHA51234c73014ffc8d38d6dd29f4f84c8f4f9ea971bc131f665f65b277f453504d5efc2d483a792cdea610c5e0544bf3997b132dcdbe37224912c5234c15cdb89d498
-
memory/1196-29-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmpFilesize
9.6MB
-
memory/1196-30-0x00000000005E0000-0x0000000000660000-memory.dmpFilesize
512KB
-
memory/1196-28-0x0000000000530000-0x000000000053E000-memory.dmpFilesize
56KB
-
memory/1196-12-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmpFilesize
9.6MB
-
memory/1196-15-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmpFilesize
9.6MB
-
memory/3040-3-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmpFilesize
9.6MB
-
memory/3040-27-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmpFilesize
9.6MB
-
memory/3040-0-0x000007FEF5EE0000-0x000007FEF687D000-memory.dmpFilesize
9.6MB
-
memory/3040-2-0x0000000000AA0000-0x0000000000B20000-memory.dmpFilesize
512KB
-
memory/3040-1-0x000000001B110000-0x000000001B2BA000-memory.dmpFilesize
1.7MB