Analysis
-
max time kernel
120s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 01:54
Static task
static1
Behavioral task
behavioral1
Sample
27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe
-
Size
4.3MB
-
MD5
27bcd7e1e7a4b83502a3057a580b2761
-
SHA1
69a0b27289af0a6b68d020051ba5aef0e333e794
-
SHA256
f9c81c2bffe6d3465ecdb13d659d36e03784575875fb2df21a117571062d1757
-
SHA512
c9d9cec4768f615be82426a14bec15bca7be6795d2a8eb06ec488068dc39020c77cc720fd25fb3e6821c3956b7fc965186596e89327d3b4430b237c061c9b3a1
-
SSDEEP
98304:aqSh5zRZwYeMMIV3PsU6Z8y6TaOphYLYSHinQpUt/YV5DyzFf:ajHYOpCm/s9y
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3972 Чистилка.exe 2320 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\fonts\pns.ttf 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3892 4252 WerFault.exe 80 -
Suspicious behavior: RenamesItself 2 IoCs
pid Process 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe Token: SeRestorePrivilege 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe Token: SeDebugPrivilege 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3972 Чистилка.exe Token: SeRestorePrivilege 3972 Чистилка.exe Token: SeDebugPrivilege 3972 Чистилка.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4252 wrote to memory of 3972 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe 84 PID 4252 wrote to memory of 3972 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe 84 PID 4252 wrote to memory of 3972 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe 84 PID 4252 wrote to memory of 2320 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe 88 PID 4252 wrote to memory of 2320 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe 88 PID 4252 wrote to memory of 2320 4252 27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\ProgramData\Чистилка\Чистилка.exeC:\ProgramData\Чистилка\Чистилка.exe /srvcreate2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Users\Admin\AppData\Local\Temp\27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\27bcd7e1e7a4b83502a3057a580b2761_JaffaCakes118.exe" /test2⤵
- Executes dropped EXE
PID:2320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 14122⤵
- Program crash
PID:3892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4252 -ip 42521⤵PID:4432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD527bcd7e1e7a4b83502a3057a580b2761
SHA169a0b27289af0a6b68d020051ba5aef0e333e794
SHA256f9c81c2bffe6d3465ecdb13d659d36e03784575875fb2df21a117571062d1757
SHA512c9d9cec4768f615be82426a14bec15bca7be6795d2a8eb06ec488068dc39020c77cc720fd25fb3e6821c3956b7fc965186596e89327d3b4430b237c061c9b3a1
-
Filesize
5.9MB
MD5d7ebb78bf1f0e4a8278b2d63013b1134
SHA1498b315dcba9bf4403d6748be61453d5d8991b61
SHA256c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8
SHA512ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312