Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 18:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
15 signatures
150 seconds
General
-
Target
085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe
-
Size
628KB
-
MD5
085e89b8c2a49aa819549e372a82a456
-
SHA1
844494e6e33fd48479b7509202a6fcbf43a0303e
-
SHA256
35cbc9343c28832d7bd8fca706ba5c8d68a9d3250b11346239c5c48432fbb332
-
SHA512
e72de6ca5683eaee8800d31ce4dc427d6d5e9c5adc5bcab4728f83666b486eed0c17c445c930e22e109861535f65a765c2a957ff8d09d86e8513ea2fb5f0fd8b
-
SSDEEP
12288:Y2wm3VGxU4zxgc5E8k7xsfDdOjmVOAbbbbbb7nnnnnMhPhPhPhPhPhF:Pwm3Yxpz5nktI6mVfbbbbbb7nnnnnMhJ
Malware Config
Extracted
Family
xpertrat
Version
3.0.10
Botnet
Test
C2
140.82.57.249:3614
Mutex
N3S7K4V2-L8C6-M6Q5-Y5I3-V6L7F1Y2X5G0
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Dissonans8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Dissonans8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Dissonans8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Dissonans8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" Dissonans8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" Dissonans8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" Dissonans8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" Dissonans8.exe -
XpertRAT Core payload 1 IoCs
resource yara_rule behavioral1/memory/2508-13-0x0000000000400000-0x0000000000443000-memory.dmp xpertrat -
Executes dropped EXE 8 IoCs
pid Process 2536 Dissonans8.exe 2960 Dissonans8.exe 2432 Dissonans8.exe 2380 Dissonans8.exe 1472 Dissonans8.exe 1032 Dissonans8.exe 1848 Dissonans8.exe 1948 Dissonans8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" Dissonans8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" Dissonans8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" Dissonans8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" Dissonans8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Dissonans8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Dissonans8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Dissonans8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Dissonans8.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2536 set thread context of 2960 2536 Dissonans8.exe 34 PID 2960 set thread context of 2508 2960 Dissonans8.exe 35 PID 2432 set thread context of 2380 2432 Dissonans8.exe 37 PID 1472 set thread context of 1032 1472 Dissonans8.exe 41 PID 1848 set thread context of 1948 1848 Dissonans8.exe 43 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2292 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2960 Dissonans8.exe 2960 Dissonans8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2508 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1968 085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe 2536 Dissonans8.exe 2960 Dissonans8.exe 2508 iexplore.exe 2432 Dissonans8.exe 2380 Dissonans8.exe 1472 Dissonans8.exe 1032 Dissonans8.exe 1848 Dissonans8.exe 1948 Dissonans8.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2292 1968 085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe 28 PID 1968 wrote to memory of 2292 1968 085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe 28 PID 1968 wrote to memory of 2292 1968 085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe 28 PID 1968 wrote to memory of 2292 1968 085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe 28 PID 1968 wrote to memory of 2948 1968 085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe 30 PID 1968 wrote to memory of 2948 1968 085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe 30 PID 1968 wrote to memory of 2948 1968 085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe 30 PID 1968 wrote to memory of 2948 1968 085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe 30 PID 2588 wrote to memory of 2536 2588 taskeng.exe 33 PID 2588 wrote to memory of 2536 2588 taskeng.exe 33 PID 2588 wrote to memory of 2536 2588 taskeng.exe 33 PID 2588 wrote to memory of 2536 2588 taskeng.exe 33 PID 2536 wrote to memory of 2960 2536 Dissonans8.exe 34 PID 2536 wrote to memory of 2960 2536 Dissonans8.exe 34 PID 2536 wrote to memory of 2960 2536 Dissonans8.exe 34 PID 2536 wrote to memory of 2960 2536 Dissonans8.exe 34 PID 2536 wrote to memory of 2960 2536 Dissonans8.exe 34 PID 2536 wrote to memory of 2960 2536 Dissonans8.exe 34 PID 2536 wrote to memory of 2960 2536 Dissonans8.exe 34 PID 2536 wrote to memory of 2960 2536 Dissonans8.exe 34 PID 2536 wrote to memory of 2960 2536 Dissonans8.exe 34 PID 2536 wrote to memory of 2960 2536 Dissonans8.exe 34 PID 2960 wrote to memory of 2508 2960 Dissonans8.exe 35 PID 2960 wrote to memory of 2508 2960 Dissonans8.exe 35 PID 2960 wrote to memory of 2508 2960 Dissonans8.exe 35 PID 2960 wrote to memory of 2508 2960 Dissonans8.exe 35 PID 2960 wrote to memory of 2508 2960 Dissonans8.exe 35 PID 2960 wrote to memory of 2508 2960 Dissonans8.exe 35 PID 2960 wrote to memory of 2508 2960 Dissonans8.exe 35 PID 2960 wrote to memory of 2508 2960 Dissonans8.exe 35 PID 2960 wrote to memory of 2508 2960 Dissonans8.exe 35 PID 2588 wrote to memory of 2432 2588 taskeng.exe 36 PID 2588 wrote to memory of 2432 2588 taskeng.exe 36 PID 2588 wrote to memory of 2432 2588 taskeng.exe 36 PID 2588 wrote to memory of 2432 2588 taskeng.exe 36 PID 2432 wrote to memory of 2380 2432 Dissonans8.exe 37 PID 2432 wrote to memory of 2380 2432 Dissonans8.exe 37 PID 2432 wrote to memory of 2380 2432 Dissonans8.exe 37 PID 2432 wrote to memory of 2380 2432 Dissonans8.exe 37 PID 2432 wrote to memory of 2380 2432 Dissonans8.exe 37 PID 2432 wrote to memory of 2380 2432 Dissonans8.exe 37 PID 2432 wrote to memory of 2380 2432 Dissonans8.exe 37 PID 2432 wrote to memory of 2380 2432 Dissonans8.exe 37 PID 2432 wrote to memory of 2380 2432 Dissonans8.exe 37 PID 2432 wrote to memory of 2380 2432 Dissonans8.exe 37 PID 2588 wrote to memory of 1472 2588 taskeng.exe 40 PID 2588 wrote to memory of 1472 2588 taskeng.exe 40 PID 2588 wrote to memory of 1472 2588 taskeng.exe 40 PID 2588 wrote to memory of 1472 2588 taskeng.exe 40 PID 1472 wrote to memory of 1032 1472 Dissonans8.exe 41 PID 1472 wrote to memory of 1032 1472 Dissonans8.exe 41 PID 1472 wrote to memory of 1032 1472 Dissonans8.exe 41 PID 1472 wrote to memory of 1032 1472 Dissonans8.exe 41 PID 1472 wrote to memory of 1032 1472 Dissonans8.exe 41 PID 1472 wrote to memory of 1032 1472 Dissonans8.exe 41 PID 1472 wrote to memory of 1032 1472 Dissonans8.exe 41 PID 1472 wrote to memory of 1032 1472 Dissonans8.exe 41 PID 1472 wrote to memory of 1032 1472 Dissonans8.exe 41 PID 1472 wrote to memory of 1032 1472 Dissonans8.exe 41 PID 2588 wrote to memory of 1848 2588 taskeng.exe 42 PID 2588 wrote to memory of 1848 2588 taskeng.exe 42 PID 2588 wrote to memory of 1848 2588 taskeng.exe 42 PID 2588 wrote to memory of 1848 2588 taskeng.exe 42 PID 1848 wrote to memory of 1948 1848 Dissonans8.exe 43 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Dissonans8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Dissonans8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Dissonans8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Dissonans8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\085e89b8c2a49aa819549e372a82a456_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Snyltehveps6" /TR "\"C:\ProgramData\Dissonans8.exe\""2⤵
- Creates scheduled task(s)
PID:2292
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /run /tn "Snyltehveps6"2⤵PID:2948
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6F829978-86DC-4607-9A0A-F23D0502BF2D} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\ProgramData\Dissonans8.exeC:\ProgramData\Dissonans8.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\ProgramData\Dissonans8.exeC:\ProgramData\Dissonans8.exe3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2960 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\ProgramData\Dissonans8.exe4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2508
-
-
-
-
C:\ProgramData\Dissonans8.exeC:\ProgramData\Dissonans8.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\ProgramData\Dissonans8.exeC:\ProgramData\Dissonans8.exe3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2380
-
-
-
C:\ProgramData\Dissonans8.exeC:\ProgramData\Dissonans8.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\ProgramData\Dissonans8.exeC:\ProgramData\Dissonans8.exe3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1032
-
-
-
C:\ProgramData\Dissonans8.exeC:\ProgramData\Dissonans8.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\ProgramData\Dissonans8.exeC:\ProgramData\Dissonans8.exe3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1948
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
628KB
MD5c6b7a73e2d854ba9c52ccf6913c66b94
SHA1915979731b5b290c0457779f26dbc385611be3cd
SHA256e208a5a1b5c20b1f62fb04fb4033011f8b358a807942c18db9852edb6c5d2af1
SHA512f775862a177b533aac890227ca013307bdef64da056f8dee8f034e4d5f60878087254a4f27d6faae1363f9303402bad0976463bab29fc6e2c5b6868e7b742351