Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 17:16
Static task
static1
Behavioral task
behavioral1
Sample
05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
05b0217261909d44a001d4b283c51df2
-
SHA1
c4cb95b26376cc67a38b035183bc775724ba4b95
-
SHA256
b9c2bcb74d67c683f66168aa484eefc55b488aa4015c4e38d1e4a131c0220699
-
SHA512
5b9670289444aa035b1254030b09a3bccbaaf6e27e24164cdeb1519d34d63aedc79b2f255d82d7f62e76d637914c0ba86e3c8a65958788df8778e6cf1c73603b
-
SSDEEP
24576:z/C8FE+7CDfGJIpclxPoH/KpcCkVxpI7h8CQ36ZcT:qkCDVGgSpcCgxAu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
defender.exepid process 2136 defender.exe -
Loads dropped DLL 3 IoCs
Processes:
05b0217261909d44a001d4b283c51df2_JaffaCakes118.exepid process 2268 05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe 2268 05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe 2268 05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule \ProgramData\defender.exe upx behavioral1/memory/2268-22-0x0000000002EB0000-0x00000000034E5000-memory.dmp upx behavioral1/memory/2136-23-0x0000000000400000-0x0000000000A35000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
defender.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security Protection = "C:\\ProgramData\\defender.exe" defender.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
defender.exedescription ioc process File opened (read-only) \??\U: defender.exe File opened (read-only) \??\E: defender.exe File opened (read-only) \??\G: defender.exe File opened (read-only) \??\I: defender.exe File opened (read-only) \??\K: defender.exe File opened (read-only) \??\Q: defender.exe File opened (read-only) \??\T: defender.exe File opened (read-only) \??\P: defender.exe File opened (read-only) \??\X: defender.exe File opened (read-only) \??\Z: defender.exe File opened (read-only) \??\M: defender.exe File opened (read-only) \??\N: defender.exe File opened (read-only) \??\V: defender.exe File opened (read-only) \??\W: defender.exe File opened (read-only) \??\Y: defender.exe File opened (read-only) \??\H: defender.exe File opened (read-only) \??\J: defender.exe File opened (read-only) \??\L: defender.exe File opened (read-only) \??\O: defender.exe File opened (read-only) \??\R: defender.exe File opened (read-only) \??\S: defender.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
defender.exedescription ioc process File opened for modification \??\PhysicalDrive0 defender.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
05b0217261909d44a001d4b283c51df2_JaffaCakes118.exedefender.exepid process 2268 05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe -
Suspicious use of FindShellTrayWindow 17 IoCs
Processes:
defender.exepid process 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
defender.exepid process 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe 2136 defender.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
defender.exepid process 2136 defender.exe 2136 defender.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
05b0217261909d44a001d4b283c51df2_JaffaCakes118.exedescription pid process target process PID 2268 wrote to memory of 2136 2268 05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe defender.exe PID 2268 wrote to memory of 2136 2268 05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe defender.exe PID 2268 wrote to memory of 2136 2268 05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe defender.exe PID 2268 wrote to memory of 2136 2268 05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe defender.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05b0217261909d44a001d4b283c51df2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\defender.exeC:\ProgramData\defender.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\ProgramData\defender.exeFilesize
873KB
MD5611d64dda639ed6e8c2878a3b13103a4
SHA130591fdfd4cb96c44392e6068d0f81d0746268b5
SHA256a059c3cde3ec783b6dbf539c8af33183626606a26b25eb03cdf36a385f08267d
SHA512e2e2bf4fe0d8ecf2bf7a77d20a743d570724faf550e6df34a4d6522cd91e57cf8526ab62a07eeec2801ff5ed322ec22157e2c566a47390455296732e25916386
-
memory/2136-34-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-42-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-33-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-50-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-48-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-47-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-35-0x0000000000B90000-0x0000000000C90000-memory.dmpFilesize
1024KB
-
memory/2136-23-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-46-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-26-0x0000000000B90000-0x0000000000C90000-memory.dmpFilesize
1024KB
-
memory/2136-27-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-29-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-30-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-31-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2136-51-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-49-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-45-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-36-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-37-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-38-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2136-40-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-41-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-44-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2136-43-0x0000000000400000-0x0000000000A35000-memory.dmpFilesize
6.2MB
-
memory/2268-3-0x0000000000400000-0x0000000000703000-memory.dmpFilesize
3.0MB
-
memory/2268-22-0x0000000002EB0000-0x00000000034E5000-memory.dmpFilesize
6.2MB
-
memory/2268-24-0x0000000002EB0000-0x00000000034E5000-memory.dmpFilesize
6.2MB
-
memory/2268-12-0x0000000000400000-0x0000000000703000-memory.dmpFilesize
3.0MB
-
memory/2268-15-0x0000000000330000-0x0000000000340000-memory.dmpFilesize
64KB
-
memory/2268-2-0x00000000008A0000-0x00000000009A0000-memory.dmpFilesize
1024KB
-
memory/2268-0-0x0000000000400000-0x0000000000703000-memory.dmpFilesize
3.0MB
-
memory/2268-6-0x0000000077360000-0x0000000077361000-memory.dmpFilesize
4KB