Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 16:37
Static task
static1
Behavioral task
behavioral1
Sample
2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe
-
Size
452KB
-
MD5
2ae2ff3322d02131f692ace1f71aac6d
-
SHA1
3c404c9bc2a1fdb546e74dca66e35f4742687679
-
SHA256
4dda0e4e2597929c136fdbe763d1dd3899253f4188697ea555c71c5996029620
-
SHA512
683e750d9fc6a9f32a45d680e1db634b3eb071b70b441fc5a1fe7fbc2d1f496d1d4676136d58e3e5458614f10eb4d80f80726eab589186b6b788b51d8190da53
-
SSDEEP
6144:4hEFvdiblx6L10wOq1MXuDGCdWJPAzu9Tjz4/ri3F5fGTeQD4K9yYC5IzrvsKeT:43Pq1uuD/uE+DfGCQDSZ5m+
Malware Config
Extracted
limerat
-
aes_key
jack
-
antivm
false
-
c2_url
https://pastebin.com/raw/YtyeDvFZ
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/YtyeDvFZ
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
Drops startup file 1 IoCs
Processes:
cscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.Lnk cscript.exe -
Loads dropped DLL 1 IoCs
Processes:
cscript.exepid process 2584 cscript.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2988-3-0x0000000000570000-0x00000000005AC000-memory.dmp agile_net -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 45 IoCs
Processes:
flow ioc 4 pastebin.com 20 pastebin.com 15 pastebin.com 30 pastebin.com 31 pastebin.com 33 pastebin.com 37 pastebin.com 48 pastebin.com 7 pastebin.com 11 pastebin.com 27 pastebin.com 29 pastebin.com 36 pastebin.com 16 pastebin.com 19 pastebin.com 17 pastebin.com 24 pastebin.com 38 pastebin.com 46 pastebin.com 5 pastebin.com 13 pastebin.com 32 pastebin.com 34 pastebin.com 40 pastebin.com 43 pastebin.com 9 pastebin.com 18 pastebin.com 21 pastebin.com 22 pastebin.com 25 pastebin.com 26 pastebin.com 39 pastebin.com 41 pastebin.com 8 pastebin.com 14 pastebin.com 44 pastebin.com 28 pastebin.com 12 pastebin.com 23 pastebin.com 35 pastebin.com 42 pastebin.com 45 pastebin.com 47 pastebin.com 6 pastebin.com 10 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exedescription pid process target process PID 2988 set thread context of 2892 2988 2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exepid process 2988 2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2892 RegAsm.exe Token: SeDebugPrivilege 2892 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exedescription pid process target process PID 2988 wrote to memory of 2584 2988 2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe cscript.exe PID 2988 wrote to memory of 2584 2988 2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe cscript.exe PID 2988 wrote to memory of 2584 2988 2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe cscript.exe PID 2988 wrote to memory of 2584 2988 2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe cscript.exe PID 2988 wrote to memory of 2892 2988 2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe RegAsm.exe PID 2988 wrote to memory of 2892 2988 2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe RegAsm.exe PID 2988 wrote to memory of 2892 2988 2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe RegAsm.exe PID 2988 wrote to memory of 2892 2988 2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe RegAsm.exe PID 2988 wrote to memory of 2892 2988 2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe RegAsm.exe PID 2988 wrote to memory of 2892 2988 2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe RegAsm.exe PID 2988 wrote to memory of 2892 2988 2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe RegAsm.exe PID 2988 wrote to memory of 2892 2988 2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\cscript.exe"C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\Admin\vbc.vbs2⤵
- Drops startup file
- Loads dropped DLL
PID:2584 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
452KB
MD52ae2ff3322d02131f692ace1f71aac6d
SHA13c404c9bc2a1fdb546e74dca66e35f4742687679
SHA2564dda0e4e2597929c136fdbe763d1dd3899253f4188697ea555c71c5996029620
SHA512683e750d9fc6a9f32a45d680e1db634b3eb071b70b441fc5a1fe7fbc2d1f496d1d4676136d58e3e5458614f10eb4d80f80726eab589186b6b788b51d8190da53
-
Filesize
263B
MD5e2fa162484a572ea7bb469e513bb2516
SHA157bdeadcaff9894cabfd5d4258bdeb929aa8e242
SHA256128ba94c436c2308147c945e2321f1625cce2ac3726bdd67a64a75f3932276b7
SHA5125ebaabdfe844de35b8889becb459930baebb996ae1f20992f12f5efea69d426abe5bc43b18fac6d51b1a6b6f4374e593485b09cdd97da8dbe2b244eb02294253