Analysis
-
max time kernel
132s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 03:24
Static task
static1
Behavioral task
behavioral1
Sample
1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe
-
Size
4.3MB
-
MD5
1f4acc2840193a2b3093cec932eea7eb
-
SHA1
8dfa71b596d34b7281ea2533697957311822cf8b
-
SHA256
818ddcd58e62b21749be9172cb7b8b1930c288961a40f74f79d32510da80a75b
-
SHA512
cac08dc9777ab03950953f9db5fdca0e73b51d64f373973c0cd047bf68d616408679a2c99297ea5e44e9f95a4d0ac95e5247fcabc99b5b30f170bb29a5e7fa03
-
SSDEEP
98304:aqSh5zRZwYeMMIV3PsU6Z8y6TaOphYLYSHinQpUt/YV5DyzFf:ajHYOpCm/s9y
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4684 Чистилка.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\fonts\pns.ttf 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1232 4968 WerFault.exe 83 -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4968 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4968 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe Token: SeRestorePrivilege 4968 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe Token: SeDebugPrivilege 4968 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4684 Чистилка.exe Token: SeRestorePrivilege 4684 Чистилка.exe Token: SeDebugPrivilege 4684 Чистилка.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4968 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe 4968 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe 4968 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4968 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe 4968 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe 4968 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4968 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe 4968 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4968 wrote to memory of 4684 4968 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe 90 PID 4968 wrote to memory of 4684 4968 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe 90 PID 4968 wrote to memory of 4684 4968 1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\ProgramData\Чистилка\Чистилка.exeC:\ProgramData\Чистилка\Чистилка.exe /srvcreate2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 24762⤵
- Program crash
PID:1232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4968 -ip 49681⤵PID:4848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d727b2d9e16f9b8a435bd68a64be4dc5
SHA19bfee268801d38744236824ef2f8d93f75563e68
SHA2568d129edd44d9030964d2ac01109a26d57c5db6bf7bd3afd6070c3c0eff7168bc
SHA512c624dfb477604703b37dc0ce309bcfab74e2817ac357b0a7e672ba1c75e41a1e7d6f6cae1fb3a1cdeac40c40da1393a3ba0dcf0b23c6b9c6c7600b8328170723
-
Filesize
1KB
MD541b13742f04ea63d1d87bbbf21a86c3e
SHA1f7480711388d65b91985d95e64c3e9842af146ff
SHA256cce3e10286612de1f3900fa3a80340aa913cf528ec7563a4e5ac854f61658a20
SHA51227018abe8daeb05f4b8d66ce30bc8c26a0ec7e83d09b94c20b399e8c83ce3949cf383c57e7dbeee2b0528cee76dbf39198dda8b9cefd8157460a18b922259937
-
Filesize
4.3MB
MD51f4acc2840193a2b3093cec932eea7eb
SHA18dfa71b596d34b7281ea2533697957311822cf8b
SHA256818ddcd58e62b21749be9172cb7b8b1930c288961a40f74f79d32510da80a75b
SHA512cac08dc9777ab03950953f9db5fdca0e73b51d64f373973c0cd047bf68d616408679a2c99297ea5e44e9f95a4d0ac95e5247fcabc99b5b30f170bb29a5e7fa03