Overview
overview
7Static
static
31f40c4422f...18.exe
windows7-x64
71f40c4422f...18.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3iconAnimate.exe
windows7-x64
1iconAnimate.exe
windows10-2004-x64
1iconTips.exe
windows7-x64
1iconTips.exe
windows10-2004-x64
1uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3yj_dtsk.exe
windows7-x64
1yj_dtsk.exe
windows10-2004-x64
1Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 03:11
Static task
static1
Behavioral task
behavioral1
Sample
1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral11
Sample
iconAnimate.exe
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
iconAnimate.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral13
Sample
iconTips.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
iconTips.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral15
Sample
uninst.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
uninst.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240215-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral27
Sample
yj_dtsk.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
yj_dtsk.exe
Resource
win10v2004-20240419-en
General
-
Target
1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
1f40c4422ffff18c554b7313d3a8df60
-
SHA1
ee5b7c88fea14731be96a3ccc05d4cd655f54ed1
-
SHA256
30ef369d154a2d3bf33e28940ecfddf8a0194b4f4e7128571b643044556bbb70
-
SHA512
d0229224f75e01cb8d4599d4a2961fce64188165aeaffc9206ad6f9e3e677e90424971b72f87ea052bdcfc9a9ee515bafea759396d5127d2615a5fa432b1b533
-
SSDEEP
24576:KYiAos7FQQ03tyjhtueZwGnFCEBEc168tar8vG5Mq8WpdR0y06cQCEW:viAos7FQQRjrugjnF5tre5Mq8WpdRJ0H
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2028 yj_dtsk.exe 2668 yj_dtsk.exe 2396 yj_dtsk.exe -
Loads dropped DLL 5 IoCs
pid Process 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 yj_dtsk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main yj_dtsk.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 2396 yj_dtsk.exe 2396 yj_dtsk.exe 2396 yj_dtsk.exe 2396 yj_dtsk.exe 2396 yj_dtsk.exe 2396 yj_dtsk.exe 2396 yj_dtsk.exe 2396 yj_dtsk.exe 2396 yj_dtsk.exe 2396 yj_dtsk.exe 2396 yj_dtsk.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2028 yj_dtsk.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2668 yj_dtsk.exe 2668 yj_dtsk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1612 wrote to memory of 2028 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 29 PID 1612 wrote to memory of 2028 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 29 PID 1612 wrote to memory of 2028 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 29 PID 1612 wrote to memory of 2028 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 29 PID 1612 wrote to memory of 2668 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 30 PID 1612 wrote to memory of 2668 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 30 PID 1612 wrote to memory of 2668 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 30 PID 1612 wrote to memory of 2668 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 30 PID 1612 wrote to memory of 2396 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 31 PID 1612 wrote to memory of 2396 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 31 PID 1612 wrote to memory of 2396 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 31 PID 1612 wrote to memory of 2396 1612 1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f40c4422ffff18c554b7313d3a8df60_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe"C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" /ShowDeskTop2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2028
-
-
C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe"C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" /autorun /setuprun2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2668
-
-
C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe"C:\Users\Admin\AppData\Roaming\yj_dtsk\yj_dtsk.exe" /setupsucc2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:2396
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
864B
MD5775e8d45bd2b9f7c80773281a36b980f
SHA16b42a8297e8bf25f750d503c8c71c41a2b9c3250
SHA2564f3a2fbc2b20c689bea144d6f9877254446865e7689c23199c4ce56119de42c1
SHA512330545bcb5f6bb568e830e705742083bb38f420f60380394df8e1ced47c736cd4699957761c3c69e0416a11f626409b673b5b8afbd33e44ac4f60dd87f181bec
-
Filesize
454B
MD504e813edb010a8177e6348ad91ae63ce
SHA11bd0dac493ca7affc732c042aafad0e2aa207980
SHA256fb32d354a4f95d9326b494b17280f830c989a7fd54c1afd20c25804ae9655020
SHA5129c105c668658b10e054be88429a46c36eb5977b557362b9a6152a27470ad2b04ea313c4f7dc612021ef13284c9e812d3ff1d07b344000d8b9cea00ebfb790a4b
-
Filesize
664B
MD54ed9614397e098853a4a72806969a8a8
SHA18accfa48b6af02e9c5403215b8d23300fcca5717
SHA256ef49df72840ea1f48503510664000c0da83a65df63b4b1eed65165d30d5a0f16
SHA5129bfa9dafff77441ff8b1b3a732425b54b7a54d01b4f712c107d325fb8e3a3a4ae259c6874b9a49b61945cff1f46589141906ed8267d01de9990c0de3463ec6d0
-
Filesize
391B
MD579833079e022c9ec09974a780083b68f
SHA1a640dd52a3722a0e4be42c2789245d4a1d251d1c
SHA256e415657883d27b1268f301948188906856a1998ef49b72f215cc474e331dbef3
SHA5128494f2c99631c36e5d9f7e40423b9469e78198076eec6a443c219d30380e84fd298fb45ea03989c630a2297d7c4324c9a861695988740b18908720a8f0bd7bbf
-
Filesize
410B
MD53061881b3fde56a8e3a9d9b3acb85ec9
SHA1646b806ef0384a275a1102673068ed68ce3d1763
SHA256238147067f662483813185c19c33bfd59fd94e548c4914cce9a0cacd07b38f90
SHA51245a784876205c400f47b9561162d01e64f5d66b0170d88c300b3fdcbd2b4e9bc474ffd2cfc306d4a6da84829df6e75177db8da7dc5cf3927bb49688b84a0ee3c
-
Filesize
3KB
MD58614c450637267afacad1645e23ba24a
SHA1e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA2560fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
1.2MB
MD5ebeb1bb919543b07d57aabb96c331e27
SHA106c1857f7cbb76ce01b6b1ea9a1bf8fc4538b2c9
SHA25668538e5ab408445b3b73158a40ea6e9b1bada7e874a7c4b3bbf3b48568e9a676
SHA51239d13db5ad0b17e16a9db56b3294cc7c0f66d79ab64d69d796dd005963f6f1a33000b1f306b7a59b2cd3525f9a41b7f192748837498123ad0ee54903c19817b2