Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
27/04/2024, 02:29
Static task
static1
Behavioral task
behavioral1
Sample
023617c1c011ea1ca68856bf7b290b57_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
023617c1c011ea1ca68856bf7b290b57_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
023617c1c011ea1ca68856bf7b290b57
-
SHA1
6cac228d510568b7cd90bf5cb82202b55137b15b
-
SHA256
8da549ef10749b90b55f2c27c108b3176ab00c34892d0155fca56b86764e7df9
-
SHA512
e1b44e2441a084dc6adb58abc906c2e518d3cac35e989e8e080eb4dcbb89b3234ff8095d6a0f67822e24f36e48b82cd9cd418ef87ae15ac9c3c6b85be79b938f
-
SSDEEP
3072:Esyp1VuU1ykCJdsEWfGyO76ePGX2vHPTjfLnvrbSkeWjqI/GvmKSzWlv3OnybSOg:EJuU1
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2696 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 1660 chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 1660 chrome.exe Token: 33 1660 chrome.exe Token: SeIncBasePriorityPrivilege 1660 chrome.exe Token: 33 1660 chrome.exe Token: SeIncBasePriorityPrivilege 1660 chrome.exe Token: 33 1660 chrome.exe Token: SeIncBasePriorityPrivilege 1660 chrome.exe Token: 33 1660 chrome.exe Token: SeIncBasePriorityPrivilege 1660 chrome.exe Token: 33 1660 chrome.exe Token: SeIncBasePriorityPrivilege 1660 chrome.exe Token: 33 1660 chrome.exe Token: SeIncBasePriorityPrivilege 1660 chrome.exe Token: 33 1660 chrome.exe Token: SeIncBasePriorityPrivilege 1660 chrome.exe Token: 33 1660 chrome.exe Token: SeIncBasePriorityPrivilege 1660 chrome.exe Token: 33 1660 chrome.exe Token: SeIncBasePriorityPrivilege 1660 chrome.exe Token: 33 1660 chrome.exe Token: SeIncBasePriorityPrivilege 1660 chrome.exe Token: 33 1660 chrome.exe Token: SeIncBasePriorityPrivilege 1660 chrome.exe Token: 33 1660 chrome.exe Token: SeIncBasePriorityPrivilege 1660 chrome.exe Token: 33 1660 chrome.exe Token: SeIncBasePriorityPrivilege 1660 chrome.exe Token: 33 1660 chrome.exe Token: SeIncBasePriorityPrivilege 1660 chrome.exe Token: 33 1660 chrome.exe Token: SeIncBasePriorityPrivilege 1660 chrome.exe Token: 33 1660 chrome.exe Token: SeIncBasePriorityPrivilege 1660 chrome.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2392 wrote to memory of 1660 2392 023617c1c011ea1ca68856bf7b290b57_JaffaCakes118.exe 28 PID 2392 wrote to memory of 1660 2392 023617c1c011ea1ca68856bf7b290b57_JaffaCakes118.exe 28 PID 2392 wrote to memory of 1660 2392 023617c1c011ea1ca68856bf7b290b57_JaffaCakes118.exe 28 PID 1660 wrote to memory of 2696 1660 chrome.exe 29 PID 1660 wrote to memory of 2696 1660 chrome.exe 29 PID 1660 wrote to memory of 2696 1660 chrome.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\023617c1c011ea1ca68856bf7b290b57_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\023617c1c011ea1ca68856bf7b290b57_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5023617c1c011ea1ca68856bf7b290b57
SHA16cac228d510568b7cd90bf5cb82202b55137b15b
SHA2568da549ef10749b90b55f2c27c108b3176ab00c34892d0155fca56b86764e7df9
SHA512e1b44e2441a084dc6adb58abc906c2e518d3cac35e989e8e080eb4dcbb89b3234ff8095d6a0f67822e24f36e48b82cd9cd418ef87ae15ac9c3c6b85be79b938f