Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 10:35
Static task
static1
Behavioral task
behavioral1
Sample
298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
298d23c0ecd0b23b303eed58288e8209
-
SHA1
7536e0937095311b8565adbadea597e99745d774
-
SHA256
2ce70e3ec75c2e85928d0590e3d0909bd0fdb28600a5b3443a527d6560de01e6
-
SHA512
bb6766ac874e69d8a37575ffa5e450724b638e82c1e9316bb58f2252d1d047e450686c27c4549e17e19ed5d66207997bff1b0ed2b06a58f9c343785acaf85bb8
-
SSDEEP
3072:gG5yzbGfgyr9z+zyC5yQDVeImFoOS042ywxsaH2+MgsVIVzn0f+CD:AbCRz++OMIgmSzBsyVgf9
Malware Config
Extracted
xpertrat
3.0.10
Group
46.183.220.104:10101
K8P3I007-I4G2-R2U0-V0G8-T1Q3K5W771L5
Signatures
-
Processes:
tmp.exe298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe -
Processes:
tmp.exe298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe -
XpertRAT Core payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/692-38-0x0000000000400000-0x0000000000443000-memory.dmp xpertrat -
Drops startup file 1 IoCs
Processes:
298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp.exepid process 2232 tmp.exe -
Loads dropped DLL 4 IoCs
Processes:
298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exetmp.exepid process 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 2232 tmp.exe 2232 tmp.exe 2232 tmp.exe -
Processes:
tmp.exe298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe -
Processes:
tmp.exe298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exetmp.exe298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exedescription pid process target process PID 2732 set thread context of 2012 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe PID 2232 set thread context of 540 2232 tmp.exe iexplore.exe PID 2012 set thread context of 692 2012 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 276 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exetmp.exe298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exepid process 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 2232 tmp.exe 2012 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 2012 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 2232 tmp.exe 2012 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 2232 tmp.exe 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exeiexplore.exedescription pid process Token: SeDebugPrivilege 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe Token: 33 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe Token: SeDebugPrivilege 692 iexplore.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
tmp.exe298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exeiexplore.exepid process 2232 tmp.exe 2012 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 692 iexplore.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.execmd.exe298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exetmp.execmd.exedescription pid process target process PID 2732 wrote to memory of 772 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe cmd.exe PID 2732 wrote to memory of 772 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe cmd.exe PID 2732 wrote to memory of 772 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe cmd.exe PID 2732 wrote to memory of 772 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe cmd.exe PID 772 wrote to memory of 1836 772 cmd.exe reg.exe PID 772 wrote to memory of 1836 772 cmd.exe reg.exe PID 772 wrote to memory of 1836 772 cmd.exe reg.exe PID 772 wrote to memory of 1836 772 cmd.exe reg.exe PID 2732 wrote to memory of 2232 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe tmp.exe PID 2732 wrote to memory of 2232 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe tmp.exe PID 2732 wrote to memory of 2232 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe tmp.exe PID 2732 wrote to memory of 2232 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe tmp.exe PID 2732 wrote to memory of 2232 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe tmp.exe PID 2732 wrote to memory of 2232 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe tmp.exe PID 2732 wrote to memory of 2232 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe tmp.exe PID 2732 wrote to memory of 2012 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe PID 2732 wrote to memory of 2012 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe PID 2732 wrote to memory of 2012 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe PID 2732 wrote to memory of 2012 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe PID 2732 wrote to memory of 2012 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe PID 2732 wrote to memory of 2012 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe PID 2732 wrote to memory of 2012 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe PID 2732 wrote to memory of 2012 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe PID 2732 wrote to memory of 2012 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe PID 2732 wrote to memory of 2012 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe PID 2732 wrote to memory of 2012 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe PID 2012 wrote to memory of 692 2012 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe iexplore.exe PID 2012 wrote to memory of 692 2012 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe iexplore.exe PID 2012 wrote to memory of 692 2012 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe iexplore.exe PID 2012 wrote to memory of 692 2012 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe iexplore.exe PID 2012 wrote to memory of 692 2012 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe iexplore.exe PID 2012 wrote to memory of 692 2012 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe iexplore.exe PID 2232 wrote to memory of 540 2232 tmp.exe iexplore.exe PID 2232 wrote to memory of 540 2232 tmp.exe iexplore.exe PID 2232 wrote to memory of 540 2232 tmp.exe iexplore.exe PID 2232 wrote to memory of 540 2232 tmp.exe iexplore.exe PID 2232 wrote to memory of 540 2232 tmp.exe iexplore.exe PID 2232 wrote to memory of 540 2232 tmp.exe iexplore.exe PID 2232 wrote to memory of 540 2232 tmp.exe iexplore.exe PID 2012 wrote to memory of 692 2012 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe iexplore.exe PID 2232 wrote to memory of 540 2232 tmp.exe iexplore.exe PID 2012 wrote to memory of 692 2012 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe iexplore.exe PID 2232 wrote to memory of 540 2232 tmp.exe iexplore.exe PID 2232 wrote to memory of 540 2232 tmp.exe iexplore.exe PID 2232 wrote to memory of 540 2232 tmp.exe iexplore.exe PID 2232 wrote to memory of 540 2232 tmp.exe iexplore.exe PID 2012 wrote to memory of 692 2012 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe iexplore.exe PID 2732 wrote to memory of 1136 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe cmd.exe PID 2732 wrote to memory of 1136 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe cmd.exe PID 2732 wrote to memory of 1136 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe cmd.exe PID 2732 wrote to memory of 1136 2732 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe cmd.exe PID 1136 wrote to memory of 276 1136 cmd.exe timeout.exe PID 1136 wrote to memory of 276 1136 cmd.exe timeout.exe PID 1136 wrote to memory of 276 1136 cmd.exe timeout.exe PID 1136 wrote to memory of 276 1136 cmd.exe timeout.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
tmp.exe298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f3⤵PID:1836
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2232 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Roaming\tmp.exe3⤵PID:540
-
C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2012 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\298d23c0ecd0b23b303eed58288e8209_JaffaCakes118.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:692 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\FolderN\name.exe.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\timeout.exetimeout /t 26403⤵
- Delays execution with timeout.exe
PID:276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5298d23c0ecd0b23b303eed58288e8209
SHA17536e0937095311b8565adbadea597e99745d774
SHA2562ce70e3ec75c2e85928d0590e3d0909bd0fdb28600a5b3443a527d6560de01e6
SHA512bb6766ac874e69d8a37575ffa5e450724b638e82c1e9316bb58f2252d1d047e450686c27c4549e17e19ed5d66207997bff1b0ed2b06a58f9c343785acaf85bb8
-
Filesize
190B
MD52f98167fa44c455560450f60ceff0fa0
SHA134b599d23f9424deed3e4ead29d315f2b5e9dd21
SHA256acc75b60b025aa61061c7663a81505dca62d69aa792cac010a11fea2c5d10f3b
SHA5121d1f1eb11f2bb5ea6aecd8260aee3645f6a28b1f71bca354addd88212fa5627609a9f5ee9622b539f6eb1bfea448ede98a049647cac27e088c9938a292617437
-
Filesize
172KB
MD5d5ac3689652f1d3566ec15d8ba4f088a
SHA1aedd8e90ec29f1a0259eb31fab519a398cb4f205
SHA2564c4b3ad8895c8ea779e3e359b8f3610f061d4d865170e32b7af648ff0268e2b8
SHA5126b989ca5018c9ff845461e150ac23b92ae71ef1d268d8975e52a3293f15eefadde6f3b73670c902f4d146e80db0f799b08fedd87c786ab7af366f4b54e35ba70