Analysis
-
max time kernel
92s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2024, 07:40
Behavioral task
behavioral1
Sample
004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
004b99c7f22dae72be75009dbc37a1ed
-
SHA1
65a4deebd20b9118783648d683b9b937155992b1
-
SHA256
8abda48d158a2f9f4bc46409d75f3a1da21e94254b6d58abdc1a34b15913d3d7
-
SHA512
79273b141641db85e7af24683734ee8a6dc7c0d9c3efa1e50d88a6bae6b536498f8c8a952fb13030a8d205f738f59c17641460cb4cdc50416b7c108cbc514b88
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ7:0UzeyQMS4DqodCnoe+iitjWwwP
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 2964 explorer.exe 6052 explorer.exe 440 spoolsv.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3984 set thread context of 4200 3984 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 100 PID 2964 set thread context of 6052 2964 explorer.exe 104 -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe File opened for modification \??\c:\windows\system\explorer.exe 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4200 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 4200 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4200 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 4200 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 6052 explorer.exe 6052 explorer.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3984 wrote to memory of 3620 3984 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 91 PID 3984 wrote to memory of 3620 3984 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 91 PID 3984 wrote to memory of 4200 3984 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 100 PID 3984 wrote to memory of 4200 3984 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 100 PID 3984 wrote to memory of 4200 3984 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 100 PID 3984 wrote to memory of 4200 3984 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 100 PID 3984 wrote to memory of 4200 3984 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 100 PID 4200 wrote to memory of 2964 4200 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 103 PID 4200 wrote to memory of 2964 4200 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 103 PID 4200 wrote to memory of 2964 4200 004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe 103 PID 2964 wrote to memory of 6052 2964 explorer.exe 104 PID 2964 wrote to memory of 6052 2964 explorer.exe 104 PID 2964 wrote to memory of 6052 2964 explorer.exe 104 PID 2964 wrote to memory of 6052 2964 explorer.exe 104 PID 2964 wrote to memory of 6052 2964 explorer.exe 104 PID 6052 wrote to memory of 440 6052 explorer.exe 105 PID 6052 wrote to memory of 440 6052 explorer.exe 105 PID 6052 wrote to memory of 440 6052 explorer.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:3620
-
-
C:\Users\Admin\AppData\Local\Temp\004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\004b99c7f22dae72be75009dbc37a1ed_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6052 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
PID:440 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2692
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1436
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4224
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4164
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5444
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2592
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4488
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1404
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4160
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6116
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4448
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4452
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4824
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3576
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2952
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2428
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3568
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3728
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3264
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4984
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3804
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3208
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3108
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3800
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3084
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4420
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4700
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5632
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3404
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4044
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2080
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3924
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:6096
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1852
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5316
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:6120
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4568
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3548
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5876
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:840
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1972
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3304
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1516
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5860
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2484
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4916
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5188
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5604
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5840
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:6012
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2588
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2180
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2868
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1968
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2480
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2192
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5584
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:5988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5cfa0dac9dae26628eb98ef2b510f501b
SHA1e9848550c04e28201c7136f2d0afdad89c2ef831
SHA256167c77b714001a6dacfef358273aaa209634ec611a5ce4a9d6f1e722c4da8a2e
SHA51259b7a6cb2f2d047477366eea3121f0f3ddf7318705f4d255e6e2ece290ef99b2b12f05098526da3ac01e49746a5890c80ccfb2743d8133f82bf26887fa32fb76
-
Filesize
2.2MB
MD58cecb6fcf478c20c970eadb7add7e19d
SHA1572e2a1f9c8753f6fde6e7b658fe932c546f49c6
SHA2564791b4278fc71ad321d07a4fa03e2685a2178d6a0bd680f156ec11fbe06cc15b
SHA5120fa91aeb3ecc7796f38236f319e74ecf1e5155f8acc3d64a02511531b0ed7cff6002e34be289b650abb3d6dd288b9d3185598bebcdfb4ed5de1e4feb048462d9