Analysis
-
max time kernel
57s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/04/2024, 07:40
Behavioral task
behavioral1
Sample
004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
004b99c7f22dae72be75009dbc37a1ed
-
SHA1
65a4deebd20b9118783648d683b9b937155992b1
-
SHA256
8abda48d158a2f9f4bc46409d75f3a1da21e94254b6d58abdc1a34b15913d3d7
-
SHA512
79273b141641db85e7af24683734ee8a6dc7c0d9c3efa1e50d88a6bae6b536498f8c8a952fb13030a8d205f738f59c17641460cb4cdc50416b7c108cbc514b88
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ7:0UzeyQMS4DqodCnoe+iitjWwwP
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 112 explorer.exe 1688 explorer.exe 276 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 2496 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 2496 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 1688 explorer.exe 1688 explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1712 set thread context of 2496 1712 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 31 PID 112 set thread context of 1688 112 explorer.exe 33 -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2496 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2496 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 2496 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 1688 explorer.exe 1688 explorer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2668 1712 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 28 PID 1712 wrote to memory of 2668 1712 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 28 PID 1712 wrote to memory of 2668 1712 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 28 PID 1712 wrote to memory of 2668 1712 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 28 PID 1712 wrote to memory of 2496 1712 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 31 PID 1712 wrote to memory of 2496 1712 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 31 PID 1712 wrote to memory of 2496 1712 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 31 PID 1712 wrote to memory of 2496 1712 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 31 PID 1712 wrote to memory of 2496 1712 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 31 PID 1712 wrote to memory of 2496 1712 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 31 PID 2496 wrote to memory of 112 2496 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 32 PID 2496 wrote to memory of 112 2496 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 32 PID 2496 wrote to memory of 112 2496 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 32 PID 2496 wrote to memory of 112 2496 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 32 PID 112 wrote to memory of 1688 112 explorer.exe 33 PID 112 wrote to memory of 1688 112 explorer.exe 33 PID 112 wrote to memory of 1688 112 explorer.exe 33 PID 112 wrote to memory of 1688 112 explorer.exe 33 PID 112 wrote to memory of 1688 112 explorer.exe 33 PID 112 wrote to memory of 1688 112 explorer.exe 33 PID 1688 wrote to memory of 276 1688 explorer.exe 34 PID 1688 wrote to memory of 276 1688 explorer.exe 34 PID 1688 wrote to memory of 276 1688 explorer.exe 34 PID 1688 wrote to memory of 276 1688 explorer.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2668
-
-
C:\Users\Admin\AppData\Local\Temp\004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:276 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2784
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2712
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1736
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3116
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2876
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3528
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2036
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3148
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2976
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3824
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2572
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3832
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2728
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1536
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2452
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:940
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2600
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2660
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:676
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1128
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1476
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2484
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1300
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3784
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2628
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1336
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2492
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2804
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1996
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1472
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2868
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1844
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2204
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2020
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1396
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2908
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1744
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1640
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2140
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2956
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2376
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2596
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1484
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:864
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2960
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1968
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1612
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1980
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3012
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2056
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1564
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2348
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2700
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1672
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2340
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1776
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2512
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1440
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2952
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1332
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2244
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2176
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3024
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:580
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1588
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2004
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2520
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1712
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2280
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1384
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1956
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3068
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2924
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1816
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2560
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1684
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1428
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2024
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2724
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1708
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1116
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2636
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:588
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1888
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1604
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3080
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3048
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3252
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3900
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3028
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3524
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1368
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5bb09f4d4aa1ac1ae5f31e09e0067f326
SHA1265012d2f36319bdc384143ea4c0b99766cc2b2c
SHA25636a0e1b035f682fb4405e199953936fc1f1bdffe0c168002db3190f8bc1405cf
SHA51221137c08b39e315c9e6aa548c8ada02200bd76133460ff9b5b879b04e26cad867322004f2085943c29db36276df1f882d6a88bfe47cf258e23cbc9a0b90cfc75
-
Filesize
2.2MB
MD5c1a93109cf33433f5c3fd97b70d4f941
SHA18e6ed363a58bfc0d3d300f8120fe6897aec535d4
SHA25633632e2f34343bc4d75b25fb02da5e3cdaba800641367be96957a1666d4c13a4
SHA5127eac1a2d69478886b3cc26c2aada21ec1e19fc9d92fd2d7fb379be8383e1fbad9a0a6f8a71114bea207b5739710719ebd77ca8dcba96f8af86e6ef1cd9d7afa7