Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 15:54
Static task
static1
Behavioral task
behavioral1
Sample
2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
2598ebf1b561402e5a4c9042514ac04d
-
SHA1
a888bbd8d3c26c99e3eb49b3121d669c340687ec
-
SHA256
5b8369fd8e0ee96e8a54151a110628c79df21ab82ef65910e92feb40afe1757b
-
SHA512
5cc1ce18ef0242d6519055cf4cf1fa3300682a6a8ed77232135e178eeba457402dcafc747a26898e0d525a0b5ba57890b5472e62236fb4d5ef888020d3b644f0
-
SSDEEP
24576:7gHEvJo0mfNy/JCGaje+vwc3U5DZhMoP8iQQLCb9Slqk:EEa04y/JC3vx3U5v1GQI9r
Malware Config
Extracted
formbook
2.6
hx48
click-list.info
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Quote.exeQuote.exepid process 1892 Quote.exe 2720 Quote.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exeQuote.exepid process 2348 cmd.exe 2348 cmd.exe 1892 Quote.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Quote = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Quote.txt | cmd" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CookiesOZ7 = "C:\\Program Files (x86)\\Common Files\\IconCachebbc.com" svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Quote.exeQuote.exesvchost.exedescription pid process target process PID 1892 set thread context of 2720 1892 Quote.exe Quote.exe PID 2720 set thread context of 1376 2720 Quote.exe Explorer.EXE PID 2536 set thread context of 1376 2536 svchost.exe Explorer.EXE -
Drops file in Program Files directory 3 IoCs
Processes:
cmd.exesvchost.exedescription ioc process File created C:\Program Files (x86)\Common Files\IconCachebbc.com cmd.exe File opened for modification C:\Program Files (x86)\Common Files\IconCachebbc.com cmd.exe File opened for modification C:\Program Files (x86)\Common Files\IconCachebbc.com svchost.exe -
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exeQuote.exeQuote.exesvchost.exepid process 1972 2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe 1972 2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe 1892 Quote.exe 1892 Quote.exe 2720 Quote.exe 2720 Quote.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Quote.exesvchost.exepid process 2720 Quote.exe 2720 Quote.exe 2720 Quote.exe 2536 svchost.exe 2536 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exeQuote.exeQuote.exesvchost.exedescription pid process Token: SeDebugPrivilege 1972 2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe Token: SeDebugPrivilege 1892 Quote.exe Token: SeDebugPrivilege 2720 Quote.exe Token: SeDebugPrivilege 2536 svchost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1376 Explorer.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.execmd.exeQuote.execmd.exeExplorer.EXEsvchost.exedescription pid process target process PID 1972 wrote to memory of 2348 1972 2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe cmd.exe PID 1972 wrote to memory of 2348 1972 2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe cmd.exe PID 1972 wrote to memory of 2348 1972 2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe cmd.exe PID 1972 wrote to memory of 2348 1972 2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe cmd.exe PID 2348 wrote to memory of 1892 2348 cmd.exe Quote.exe PID 2348 wrote to memory of 1892 2348 cmd.exe Quote.exe PID 2348 wrote to memory of 1892 2348 cmd.exe Quote.exe PID 2348 wrote to memory of 1892 2348 cmd.exe Quote.exe PID 1892 wrote to memory of 1884 1892 Quote.exe cmd.exe PID 1892 wrote to memory of 1884 1892 Quote.exe cmd.exe PID 1892 wrote to memory of 1884 1892 Quote.exe cmd.exe PID 1892 wrote to memory of 1884 1892 Quote.exe cmd.exe PID 1884 wrote to memory of 2008 1884 cmd.exe reg.exe PID 1884 wrote to memory of 2008 1884 cmd.exe reg.exe PID 1884 wrote to memory of 2008 1884 cmd.exe reg.exe PID 1884 wrote to memory of 2008 1884 cmd.exe reg.exe PID 1892 wrote to memory of 2720 1892 Quote.exe Quote.exe PID 1892 wrote to memory of 2720 1892 Quote.exe Quote.exe PID 1892 wrote to memory of 2720 1892 Quote.exe Quote.exe PID 1892 wrote to memory of 2720 1892 Quote.exe Quote.exe PID 1892 wrote to memory of 2720 1892 Quote.exe Quote.exe PID 1892 wrote to memory of 2720 1892 Quote.exe Quote.exe PID 1892 wrote to memory of 2720 1892 Quote.exe Quote.exe PID 1376 wrote to memory of 2536 1376 Explorer.EXE svchost.exe PID 1376 wrote to memory of 2536 1376 Explorer.EXE svchost.exe PID 1376 wrote to memory of 2536 1376 Explorer.EXE svchost.exe PID 1376 wrote to memory of 2536 1376 Explorer.EXE svchost.exe PID 2536 wrote to memory of 2712 2536 svchost.exe cmd.exe PID 2536 wrote to memory of 2712 2536 svchost.exe cmd.exe PID 2536 wrote to memory of 2712 2536 svchost.exe cmd.exe PID 2536 wrote to memory of 2712 2536 svchost.exe cmd.exe PID 2536 wrote to memory of 2604 2536 svchost.exe cmd.exe PID 2536 wrote to memory of 2604 2536 svchost.exe cmd.exe PID 2536 wrote to memory of 2604 2536 svchost.exe cmd.exe PID 2536 wrote to memory of 2604 2536 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\cmd.exe"cmd"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\Desktop\Quote.exe"C:\Users\Admin\Desktop\Quote.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Quote" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Quote.txt" | cmd"6⤵
- Adds Run key to start application
PID:2008 -
C:\Users\Admin\Desktop\Quote.exe"C:\Users\Admin\Desktop\Quote.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\Desktop\Quote.exe" "C:\Program Files (x86)\Common Files\IconCachebbc.com" /V3⤵
- Drops file in Program Files directory
PID:2712 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Desktop\Quote.exe"3⤵PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD52598ebf1b561402e5a4c9042514ac04d
SHA1a888bbd8d3c26c99e3eb49b3121d669c340687ec
SHA2565b8369fd8e0ee96e8a54151a110628c79df21ab82ef65910e92feb40afe1757b
SHA5125cc1ce18ef0242d6519055cf4cf1fa3300682a6a8ed77232135e178eeba457402dcafc747a26898e0d525a0b5ba57890b5472e62236fb4d5ef888020d3b644f0