Analysis
-
max time kernel
146s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 03:54
Static task
static1
Behavioral task
behavioral1
Sample
1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe
-
Size
236KB
-
MD5
1f5cc0934c69394573e34be53dc41e54
-
SHA1
55947f243c826706cfe27470530e555190911711
-
SHA256
9e7580489a6e346a26ac16c42a33e1857d67801bcc4191c1303d158e52c931ae
-
SHA512
22b09cab12c4e08549be486a0ba7e22f914d33da3a2188d256d990d2f2da74c4be71710c87d0310bb9869493655d1e14b676fdf6c03a3023414496ae13382771
-
SSDEEP
3072:VHZ/peTSk1rr7XcoZrBx8IlRdtF7zYLt52RlfZoqFa52QDL3ZJ6bLiD659qkg+:VHZRe7rPXfZ/fMLb2J6DLpJ6m
Malware Config
Extracted
gootkit
9
shoblya.org
shoblya.com
shoblyar.org
shblyar1.org
-
vendor_id
9
Signatures
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ctfforf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mstsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mstsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mstsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mstsc.exe -
Deletes itself 1 IoCs
pid Process 2504 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2516 ctfforf.exe -
Loads dropped DLL 2 IoCs
pid Process 2700 mstsc.exe 2700 mstsc.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\DESCRIPTION\System\CentralProcessor\0 mstsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mstsc.exe Key opened \REGISTRY\MACHINE\Hardware\DESCRIPTION\System\CentralProcessor\0 mstsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mstsc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2700 mstsc.exe 2700 mstsc.exe 760 mstsc.exe 760 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 760 mstsc.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2820 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 2516 ctfforf.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2700 2820 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2700 2820 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2700 2820 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2700 2820 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2700 2820 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2700 2820 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2700 2820 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2700 2820 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2700 2820 1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe 30 PID 2700 wrote to memory of 2516 2700 mstsc.exe 31 PID 2700 wrote to memory of 2516 2700 mstsc.exe 31 PID 2700 wrote to memory of 2516 2700 mstsc.exe 31 PID 2700 wrote to memory of 2516 2700 mstsc.exe 31 PID 2700 wrote to memory of 2504 2700 mstsc.exe 32 PID 2700 wrote to memory of 2504 2700 mstsc.exe 32 PID 2700 wrote to memory of 2504 2700 mstsc.exe 32 PID 2700 wrote to memory of 2504 2700 mstsc.exe 32 PID 2504 wrote to memory of 2336 2504 cmd.exe 34 PID 2504 wrote to memory of 2336 2504 cmd.exe 34 PID 2504 wrote to memory of 2336 2504 cmd.exe 34 PID 2504 wrote to memory of 2336 2504 cmd.exe 34 PID 2516 wrote to memory of 760 2516 ctfforf.exe 35 PID 2516 wrote to memory of 760 2516 ctfforf.exe 35 PID 2516 wrote to memory of 760 2516 ctfforf.exe 35 PID 2516 wrote to memory of 760 2516 ctfforf.exe 35 PID 2516 wrote to memory of 760 2516 ctfforf.exe 35 PID 2516 wrote to memory of 760 2516 ctfforf.exe 35 PID 2516 wrote to memory of 760 2516 ctfforf.exe 35 PID 2516 wrote to memory of 760 2516 ctfforf.exe 35 PID 2516 wrote to memory of 760 2516 ctfforf.exe 35 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2336 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe"1⤵
- Checks BIOS information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\mstsc.exeC:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe"2⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\ctfforf.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\ctfforf.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\mstsc.exeC:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\ctfforf.exe"4⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259452548.bat" "C:\Users\Admin\AppData\Local\Temp\1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe""3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\1f5cc0934c69394573e34be53dc41e54_JaffaCakes118.exe"4⤵
- Views/modifies file attributes
PID:2336
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD55b482f0ea2f6d377f1612f5fc0c0c6e6
SHA1cef183865990cbec344e81c4a41cac227f31fdc4
SHA256b4526ac0b22c5f325d9e0b2b8ed0e3b5c7779c4dcf81c1bf3987b8c439b8f233
SHA51286b1530191f71ae6bc64f385b664eba9cae90f1833f67cc3f7d052d9d68dc2edf94337322a9611b9fc1caf52a1f2a348c3aed5206c5afc1d197ebb04d1e248a1
-
Filesize
238B
MD5adc50b6a926c099b3ddb064cd32d8560
SHA1dd96732321e27032e1b323a18f39782486944534
SHA25618c429450346ad86e862318cdff1eb36463bf5bfcd2ed7ab509c8384faccec31
SHA5121e3670783693a4faa99faad7cccd84089af6b4fec84bf5c3a15150cc49ce15b820be14d01162c65cce71f260db7b35d8d2b60fa6f32fad70e199bda21a147b97
-
Filesize
236KB
MD51f5cc0934c69394573e34be53dc41e54
SHA155947f243c826706cfe27470530e555190911711
SHA2569e7580489a6e346a26ac16c42a33e1857d67801bcc4191c1303d158e52c931ae
SHA51222b09cab12c4e08549be486a0ba7e22f914d33da3a2188d256d990d2f2da74c4be71710c87d0310bb9869493655d1e14b676fdf6c03a3023414496ae13382771