Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe
-
Size
931KB
-
MD5
433dd4dce13e86688a3af13686c84d1c
-
SHA1
69ceb568484e6436b50b067f041f383acab22870
-
SHA256
bc64ad45f156496dab5f38b4d6810dd3276ccb43a639e979fa2a71f370f78aad
-
SHA512
45f933fd991bfedaab8b1fd19d41e22432f328abb5606aa04dc9cff43bf088fc1a674c156be95bd0aa452334b96e6ab6cd1105431abd27e6d03bbaa42aef47d7
-
SSDEEP
24576:LQgPByJzhAfD7MjzlR7W/BdT5r4fPn9OvRSWz4r:LQgZ0z0MjHC/Bdu39OvAWz+
Malware Config
Signatures
-
Manipulates Digital Signatures 1 TTPs 3 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
certutil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" certutil.exe -
Drops startup file 1 IoCs
Processes:
lsass.comdescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghost.url lsass.com -
Executes dropped EXE 2 IoCs
Processes:
lsass.comlsass.compid process 3416 lsass.com 4428 lsass.com -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
lsass.comlsass.compid process 3416 lsass.com 3416 lsass.com 3416 lsass.com 4428 lsass.com 4428 lsass.com 4428 lsass.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
lsass.comlsass.compid process 3416 lsass.com 3416 lsass.com 3416 lsass.com 4428 lsass.com 4428 lsass.com 4428 lsass.com -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.execmd.exelsass.comdescription pid process target process PID 5036 wrote to memory of 3992 5036 433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe cmd.exe PID 5036 wrote to memory of 3992 5036 433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe cmd.exe PID 5036 wrote to memory of 3992 5036 433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe cmd.exe PID 3992 wrote to memory of 1136 3992 cmd.exe certutil.exe PID 3992 wrote to memory of 1136 3992 cmd.exe certutil.exe PID 3992 wrote to memory of 1136 3992 cmd.exe certutil.exe PID 3992 wrote to memory of 3416 3992 cmd.exe lsass.com PID 3992 wrote to memory of 3416 3992 cmd.exe lsass.com PID 3992 wrote to memory of 3416 3992 cmd.exe lsass.com PID 3416 wrote to memory of 4428 3416 lsass.com lsass.com PID 3416 wrote to memory of 4428 3416 lsass.com lsass.com PID 3416 wrote to memory of 4428 3416 lsass.com lsass.com PID 3992 wrote to memory of 3080 3992 cmd.exe PING.EXE PID 3992 wrote to memory of 3080 3992 cmd.exe PING.EXE PID 3992 wrote to memory of 3080 3992 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\cmd.execmd /c <nul set /p ="M" > lsass.com & type ffXi.com >> lsass.com & del ffXi.com & certutil -decode adCt.com R & lsass.com R & ping 127.0.0.1 -n 202⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\certutil.execertutil -decode adCt.com R3⤵
- Manipulates Digital Signatures
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.comlsass.com R3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.com R4⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4428 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 203⤵
- Runs ping.exe
PID:3080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RFilesize
250KB
MD553a116d2b8ab11b92b293b4ad18cc523
SHA1a4726d5f751271a8ef9f50c343249b3e97f91cc8
SHA256f49fd869ebc412d9bd65b96330652ff1aea58d287a06f6b5c8a02ba442fd4d22
SHA512e8f3eac4532041823b0362d84d591ce815aa55090d44ed18ac567ba17559b051e5b0c6d66ce6b0af2b22c11d90289cf96855ca51abcb4c5d5297fd7ce656e6fc
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\adCt.comFilesize
344KB
MD5608d98351812a3c2c73b94a6f5bef048
SHA1edbdd9e0608abc2abf531bb42423a68a22349bd8
SHA2564a17468fec26c6b95fd7d2365eae99cbc875ac5d0b34cbeff373b2ca15238884
SHA512e24874e67f15d04ab8594591c92236d93a2f2212002ca3354ca8fbeedd90b524737f8603837c1858d19505b1b85edd8809cd1d6a3f263043740aecf042b34a40
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bzYfp.comFilesize
332KB
MD5340f2664d7956a753d8ea2fa5c0044ff
SHA10134773b0534c94f62edea2302d0efe020addc25
SHA256956eba9bc654807eaaf15438024f0485d62fa35fcaabfe1bcc8fbf6668275c63
SHA5123e9dae031e34a33aed97a1b331748a2bdf99862e13f94057aa8d32986e0db9748592300ca3639fe3f36fd439768510b7ea587775faa89991ff79eeda2e6e2997
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ffXi.comFilesize
872KB
MD5d86ab2aeeac2553c7857ece4492eda5d
SHA10828db56b556f3f0486a9de9d2c728216035e8e6
SHA2568861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436
SHA5128c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.comFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c