Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 06:41
Static task
static1
Behavioral task
behavioral1
Sample
23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe
-
Size
601KB
-
MD5
23a6caad88c0f42f1e73daf13fc3b0df
-
SHA1
e97fcb7899f4d894c26b63f8af19233bd59cf9a1
-
SHA256
8b8fbeb1aaef887b118e19dbb247e06fa6dff48bf75ea12ed3c058a8079134ca
-
SHA512
e7ce48800957df81e662de24969206b2386374cfb04457433741db262d0b57dccb4a57d78edff585732483677f6602981e76808abdf1936322594d71d380ca4e
-
SSDEEP
12288:FPzTLDropyX9xgoiiuZunDGkjkxHZ2UZGkjkxHZ2Uc2h1:FP3HrodoljnD5kNZNZ5kNZNcW1
Malware Config
Signatures
-
Trickbot x86 loader 3 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/1720-38-0x0000000000400000-0x0000000000499000-memory.dmp trickbot_loader32 behavioral1/memory/2452-39-0x0000000000400000-0x0000000000499000-memory.dmp trickbot_loader32 behavioral1/memory/860-55-0x0000000000400000-0x0000000000499000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
Processes:
23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exepid process 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe 860 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe -
Loads dropped DLL 2 IoCs
Processes:
23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exepid process 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.exe23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\EMP.DAT 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 2860 sc.exe 2784 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 5 IoCs
Processes:
powershell.exe23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 5005e9ea12a1da01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exe23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exepowershell.exepowershell.exepowershell.exepid process 2940 powershell.exe 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe 2508 powershell.exe 2756 powershell.exe 2064 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exe23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exedescription pid process Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeTcbPrivilege 860 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.execmd.execmd.execmd.execmd.exe23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.execmd.exedescription pid process target process PID 1720 wrote to memory of 2208 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2208 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2208 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2208 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2940 2208 cmd.exe powershell.exe PID 2208 wrote to memory of 2940 2208 cmd.exe powershell.exe PID 2208 wrote to memory of 2940 2208 cmd.exe powershell.exe PID 1720 wrote to memory of 2552 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2552 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2552 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2552 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2572 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2572 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2572 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2572 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2636 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2636 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2636 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2636 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2452 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe PID 1720 wrote to memory of 2452 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe PID 1720 wrote to memory of 2452 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe PID 1720 wrote to memory of 2452 1720 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe PID 2636 wrote to memory of 2756 2636 cmd.exe powershell.exe PID 2636 wrote to memory of 2756 2636 cmd.exe powershell.exe PID 2636 wrote to memory of 2756 2636 cmd.exe powershell.exe PID 2636 wrote to memory of 2756 2636 cmd.exe powershell.exe PID 2572 wrote to memory of 2784 2572 cmd.exe sc.exe PID 2572 wrote to memory of 2784 2572 cmd.exe sc.exe PID 2572 wrote to memory of 2784 2572 cmd.exe sc.exe PID 2572 wrote to memory of 2784 2572 cmd.exe sc.exe PID 2552 wrote to memory of 2860 2552 cmd.exe sc.exe PID 2552 wrote to memory of 2860 2552 cmd.exe sc.exe PID 2552 wrote to memory of 2860 2552 cmd.exe sc.exe PID 2552 wrote to memory of 2860 2552 cmd.exe sc.exe PID 2452 wrote to memory of 2832 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe cmd.exe PID 2452 wrote to memory of 2832 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe cmd.exe PID 2452 wrote to memory of 2832 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe cmd.exe PID 2452 wrote to memory of 2832 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe cmd.exe PID 2832 wrote to memory of 2508 2832 cmd.exe powershell.exe PID 2832 wrote to memory of 2508 2832 cmd.exe powershell.exe PID 2832 wrote to memory of 2508 2832 cmd.exe powershell.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe PID 2452 wrote to memory of 2692 2452 23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
PID:2860 -
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
PID:2784 -
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exeC:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2692
-
C:\Windows\system32\taskeng.exetaskeng.exe {ACBE96C3-4888-450D-BBEB-8A9F59D7CC75} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:3036
-
C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exeC:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵PID:1944
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3627615824-4061627003-3019543961-1000\0f5007522459c86e95ffcc62f32308f1_12cce00e-511f-47e5-8588-7df67886da42
Filesize1KB
MD5b9c8e4c8897ee40749eb7854e175b3c8
SHA119a56033a88fe25938ceec45fc0b0d8ff8ae9668
SHA25619431c2a194efe1a19a4804ad044c6873afd040f968324e685420cbef165d91e
SHA51235ea2c308f73b2c04f983809e3032f323494ab34d82e63cb65bb010d5dc1a013675bb7d1f3533f840d861a809270b75df1d4801ef3b3c42b172c44deb249bee1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C3KPEXOAMXMHCFHSO7K3.temp
Filesize7KB
MD557f69aa51b0af03ee95beb2f7bd778bf
SHA16fa33c09fee864a6a1a0b5e9d1a945ef44453700
SHA2568a6694e5e13a50dc3b462addf3214db3f150545004fe223062843b53f3a45c03
SHA512e6066f9310fd2615f3df0f8bc9d5146dcfab0de8e9518d406b2ab954c36a58c3d0dfa8543419c08984cf988deb724e6c21c9ab15d3122c91933939ce2d92287c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
601KB
MD523a6caad88c0f42f1e73daf13fc3b0df
SHA1e97fcb7899f4d894c26b63f8af19233bd59cf9a1
SHA2568b8fbeb1aaef887b118e19dbb247e06fa6dff48bf75ea12ed3c058a8079134ca
SHA512e7ce48800957df81e662de24969206b2386374cfb04457433741db262d0b57dccb4a57d78edff585732483677f6602981e76808abdf1936322594d71d380ca4e