Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 22:23
Static task
static1
Behavioral task
behavioral1
Sample
21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe
-
Size
302KB
-
MD5
21fac61365987a8abfcd0b429a2497bf
-
SHA1
114fc4d7533b3fd0dd4d034ae55847d4885d1c70
-
SHA256
8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b
-
SHA512
d86ab5c4e3f1a33a929a99fa57df943e7ae4086543f947f8178a1216d19c1c16c68f350b36a53b062b55d63f0491f6065a7c3e0813edac7f806158c7035da66b
-
SSDEEP
6144:+z+92mhAMJ/cPl3ix0LcjsyBhpH3AY4n3ZfJUh+HsgpqR0r8sqPTAv:+K2mhAMJ/cPlijsyBhpH3AY+3ZGe
Malware Config
Signatures
-
Detects PlugX payload 18 IoCs
resource yara_rule behavioral1/memory/1700-37-0x00000000006B0000-0x00000000006E1000-memory.dmp family_plugx behavioral1/memory/2624-42-0x00000000002A0000-0x00000000002D1000-memory.dmp family_plugx behavioral1/memory/2432-49-0x00000000001D0000-0x0000000000201000-memory.dmp family_plugx behavioral1/memory/2624-47-0x00000000002A0000-0x00000000002D1000-memory.dmp family_plugx behavioral1/memory/1700-22-0x00000000006B0000-0x00000000006E1000-memory.dmp family_plugx behavioral1/memory/2432-64-0x00000000001D0000-0x0000000000201000-memory.dmp family_plugx behavioral1/memory/2432-82-0x00000000001D0000-0x0000000000201000-memory.dmp family_plugx behavioral1/memory/2432-77-0x00000000001D0000-0x0000000000201000-memory.dmp family_plugx behavioral1/memory/2432-81-0x00000000001D0000-0x0000000000201000-memory.dmp family_plugx behavioral1/memory/2432-80-0x00000000001D0000-0x0000000000201000-memory.dmp family_plugx behavioral1/memory/2432-76-0x00000000001D0000-0x0000000000201000-memory.dmp family_plugx behavioral1/memory/2432-75-0x00000000001D0000-0x0000000000201000-memory.dmp family_plugx behavioral1/memory/2512-95-0x0000000000420000-0x0000000000451000-memory.dmp family_plugx behavioral1/memory/2512-96-0x0000000000420000-0x0000000000451000-memory.dmp family_plugx behavioral1/memory/2512-90-0x0000000000420000-0x0000000000451000-memory.dmp family_plugx behavioral1/memory/2432-97-0x00000000001D0000-0x0000000000201000-memory.dmp family_plugx behavioral1/memory/2432-100-0x00000000001D0000-0x0000000000201000-memory.dmp family_plugx behavioral1/memory/2432-108-0x00000000001D0000-0x0000000000201000-memory.dmp family_plugx -
Executes dropped EXE 2 IoCs
pid Process 1700 RsTray.exe 2624 RsTray.exe -
Loads dropped DLL 6 IoCs
pid Process 1632 21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe 1632 21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe 1632 21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe 1632 21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe 1700 RsTray.exe 2624 RsTray.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 16 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-b1-a0-df-04-6e\WpadDecision = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-b1-a0-df-04-6e\WpadDecisionTime = f0654579cda0da01 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2496C5CB-E9D9-463B-8009-CA6E9281A60F}\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2496C5CB-E9D9-463B-8009-CA6E9281A60F}\WpadNetworkName = "Network 3" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-b1-a0-df-04-6e svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-b1-a0-df-04-6e\WpadDecisionTime = 9010605fcda0da01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-b1-a0-df-04-6e\WpadDecisionTime = f071625fcda0da01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2496C5CB-E9D9-463B-8009-CA6E9281A60F} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2496C5CB-E9D9-463B-8009-CA6E9281A60F}\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2496C5CB-E9D9-463B-8009-CA6E9281A60F}\12-b1-a0-df-04-6e svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2496C5CB-E9D9-463B-8009-CA6E9281A60F}\WpadDecisionTime = 9010605fcda0da01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2496C5CB-E9D9-463B-8009-CA6E9281A60F}\WpadDecisionTime = f071625fcda0da01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2496C5CB-E9D9-463B-8009-CA6E9281A60F}\WpadDecisionTime = f0654579cda0da01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-b1-a0-df-04-6e\WpadDecisionReason = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-b1-a0-df-04-6e\WpadDetectedUrl svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 39003200330046004500370034003500340044003300460036004100350032000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2432 svchost.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2432 svchost.exe 2432 svchost.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2432 svchost.exe 2432 svchost.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2432 svchost.exe 2432 svchost.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2432 svchost.exe 2432 svchost.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe 2512 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2432 svchost.exe 2512 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1700 RsTray.exe Token: SeTcbPrivilege 1700 RsTray.exe Token: SeDebugPrivilege 2624 RsTray.exe Token: SeTcbPrivilege 2624 RsTray.exe Token: SeDebugPrivilege 2432 svchost.exe Token: SeTcbPrivilege 2432 svchost.exe Token: SeDebugPrivilege 2512 msiexec.exe Token: SeTcbPrivilege 2512 msiexec.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1632 wrote to memory of 1700 1632 21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe 28 PID 1632 wrote to memory of 1700 1632 21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe 28 PID 1632 wrote to memory of 1700 1632 21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe 28 PID 1632 wrote to memory of 1700 1632 21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe 28 PID 1632 wrote to memory of 1700 1632 21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe 28 PID 1632 wrote to memory of 1700 1632 21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe 28 PID 1632 wrote to memory of 1700 1632 21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe 28 PID 2624 wrote to memory of 2432 2624 RsTray.exe 30 PID 2624 wrote to memory of 2432 2624 RsTray.exe 30 PID 2624 wrote to memory of 2432 2624 RsTray.exe 30 PID 2624 wrote to memory of 2432 2624 RsTray.exe 30 PID 2624 wrote to memory of 2432 2624 RsTray.exe 30 PID 2624 wrote to memory of 2432 2624 RsTray.exe 30 PID 2624 wrote to memory of 2432 2624 RsTray.exe 30 PID 2624 wrote to memory of 2432 2624 RsTray.exe 30 PID 2624 wrote to memory of 2432 2624 RsTray.exe 30 PID 2432 wrote to memory of 2512 2432 svchost.exe 31 PID 2432 wrote to memory of 2512 2432 svchost.exe 31 PID 2432 wrote to memory of 2512 2432 svchost.exe 31 PID 2432 wrote to memory of 2512 2432 svchost.exe 31 PID 2432 wrote to memory of 2512 2432 svchost.exe 31 PID 2432 wrote to memory of 2512 2432 svchost.exe 31 PID 2432 wrote to memory of 2512 2432 svchost.exe 31 PID 2432 wrote to memory of 2512 2432 svchost.exe 31 PID 2432 wrote to memory of 2512 2432 svchost.exe 31 PID 2432 wrote to memory of 2512 2432 svchost.exe 31 PID 2432 wrote to memory of 2512 2432 svchost.exe 31 PID 2432 wrote to memory of 2512 2432 svchost.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\21fac61365987a8abfcd0b429a2497bf_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\ProgramData\360\RsTray.exeC:\ProgramData\360\RsTray.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 24323⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD58d770a9af761ffd730138dff7e7ee955
SHA1f494f853a341d2ad634436598379194f8b1d103d
SHA25678165bca194e098f05838a74fe8d1c6e656730601704275a440faed38e3e7948
SHA5123653cf222bb936881b1bfef3fbe204eb58390f1b49c26192c7aae400d4378d2aefb01c8f9b6b42ecf078603f1c6ffea95cdd13e37c566fe8b5f418dadd01e1d7
-
Filesize
3KB
MD5295decc75adb2474ae45d4291a9a111e
SHA192102f1e5868f3139b7027120524d785a674f6b9
SHA2568d76c61be8682c425cb15e89e0179c1c8e35cb86e7b6b54c60ef8239317d3d7a
SHA51256c3090f32c2523c55d8dbe171efd64c423ded0d3cc67993a9d81c71379ee61a250317953cfbcdcb2f46969cdf85e586690f5adbeaed1175cca7268e220c97d8
-
Filesize
3KB
MD58ec93a87c25fd93235d3668540a1126c
SHA1b8839a0853d8f3c43c02082ff5530263cc07eba6
SHA2565bee4bb85703a6e309820f910be3766d7b88cebd96374030803d7aec3562f4cf
SHA5120f54f16d469f241bb58712e6b6ae4946ac1887e7dd894858bb2a0549a0c6489a216ffa09c5e14dd5e6977501bc876b175751801043c14ffff77f976ab2794dc9
-
Filesize
122KB
MD57a2b112e3291887512f318865b5205e3
SHA19719a3e9cd3a4f91954a689d4bfef26cc63cc8c0
SHA256d863346dcbf9a3926e50af34b2b7c148ef15ca5d6942c1a0b5ccd7f06bbc902a
SHA51270c5beccd1efd0c70201c7632bd795a7410c225ddf0318affcc8f5e22b4a02af4ae32221c42a69184c9a05961c5d50e331ac7cba88e6663ceeb30372685996a9
-
Filesize
41KB
MD5b1253aa4e944916ab10235348cd6a3dd
SHA10046b288ba631f7363350e797ceb703ec8ae830e
SHA256cb974a188d63849431ffe8868ee4faf020c3ff8679c0f0dd08d10fa91fa9c1eb
SHA512d5134a43457ebb64e4d523cdb74ed1fda4b1d9d6f16919a5f7021858740d85832b8a7954631801f46bd460a5f2df7e6c5b70d37ef61a4e85deffb6cb9460d023
-
Filesize
174KB
MD5d65adc7ad95e88fab486707b8c228f17
SHA1dfa0589b58a469e34695a22313d184e5352a3282
SHA256a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2
SHA5123c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01