Analysis
-
max time kernel
120s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 10:48
Static task
static1
Behavioral task
behavioral1
Sample
4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe
-
Size
237KB
-
MD5
4f9dbed0c196736850754a608ca45fa9
-
SHA1
8abd87beec30bf4890e3d3833763be1f9de2383b
-
SHA256
f7c3379558086abbfc0d443b445c6f16ba65915027f12027d7e0a2a3385c4a61
-
SHA512
15cb565bb88428cff0f4dbf2b0169af6ad55bb41b9fdd02fc3d7c4741de29167149e07b683419192a1b88b261e0f4ad11d2ae6b7e5fede54befc1634b166ef61
-
SSDEEP
3072:eCz47U4Mhzjqdka/ainvKrF8KAwAbGlRkiURzCwV/Vm1PBkVcTG0DuL0hz10r:eUKMJjqO7ovqaGl8zCwrm1PIcTggpQ
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 1544 1060 mshta.exe 1546 1060 mshta.exe 1548 1060 mshta.exe -
Contacts a large (517) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 644 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpB693.bmp" 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe -
Drops file in Program Files directory 6 IoCs
Processes:
4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2972 taskkill.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exepid process 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exeWMIC.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2620 WMIC.exe Token: SeSecurityPrivilege 2620 WMIC.exe Token: SeTakeOwnershipPrivilege 2620 WMIC.exe Token: SeLoadDriverPrivilege 2620 WMIC.exe Token: SeSystemProfilePrivilege 2620 WMIC.exe Token: SeSystemtimePrivilege 2620 WMIC.exe Token: SeProfSingleProcessPrivilege 2620 WMIC.exe Token: SeIncBasePriorityPrivilege 2620 WMIC.exe Token: SeCreatePagefilePrivilege 2620 WMIC.exe Token: SeBackupPrivilege 2620 WMIC.exe Token: SeRestorePrivilege 2620 WMIC.exe Token: SeShutdownPrivilege 2620 WMIC.exe Token: SeDebugPrivilege 2620 WMIC.exe Token: SeSystemEnvironmentPrivilege 2620 WMIC.exe Token: SeRemoteShutdownPrivilege 2620 WMIC.exe Token: SeUndockPrivilege 2620 WMIC.exe Token: SeManageVolumePrivilege 2620 WMIC.exe Token: 33 2620 WMIC.exe Token: 34 2620 WMIC.exe Token: 35 2620 WMIC.exe Token: SeIncreaseQuotaPrivilege 2620 WMIC.exe Token: SeSecurityPrivilege 2620 WMIC.exe Token: SeTakeOwnershipPrivilege 2620 WMIC.exe Token: SeLoadDriverPrivilege 2620 WMIC.exe Token: SeSystemProfilePrivilege 2620 WMIC.exe Token: SeSystemtimePrivilege 2620 WMIC.exe Token: SeProfSingleProcessPrivilege 2620 WMIC.exe Token: SeIncBasePriorityPrivilege 2620 WMIC.exe Token: SeCreatePagefilePrivilege 2620 WMIC.exe Token: SeBackupPrivilege 2620 WMIC.exe Token: SeRestorePrivilege 2620 WMIC.exe Token: SeShutdownPrivilege 2620 WMIC.exe Token: SeDebugPrivilege 2620 WMIC.exe Token: SeSystemEnvironmentPrivilege 2620 WMIC.exe Token: SeRemoteShutdownPrivilege 2620 WMIC.exe Token: SeUndockPrivilege 2620 WMIC.exe Token: SeManageVolumePrivilege 2620 WMIC.exe Token: 33 2620 WMIC.exe Token: 34 2620 WMIC.exe Token: 35 2620 WMIC.exe Token: SeBackupPrivilege 2624 vssvc.exe Token: SeRestorePrivilege 2624 vssvc.exe Token: SeAuditPrivilege 2624 vssvc.exe Token: SeDebugPrivilege 2972 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mshta.exepid process 1060 mshta.exe 1060 mshta.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exepid process 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 2084 wrote to memory of 2344 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe cmd.exe PID 2084 wrote to memory of 2344 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe cmd.exe PID 2084 wrote to memory of 2344 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe cmd.exe PID 2084 wrote to memory of 2344 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe cmd.exe PID 2344 wrote to memory of 2620 2344 cmd.exe WMIC.exe PID 2344 wrote to memory of 2620 2344 cmd.exe WMIC.exe PID 2344 wrote to memory of 2620 2344 cmd.exe WMIC.exe PID 2084 wrote to memory of 1060 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe mshta.exe PID 2084 wrote to memory of 1060 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe mshta.exe PID 2084 wrote to memory of 1060 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe mshta.exe PID 2084 wrote to memory of 1060 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe mshta.exe PID 2084 wrote to memory of 644 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe cmd.exe PID 2084 wrote to memory of 644 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe cmd.exe PID 2084 wrote to memory of 644 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe cmd.exe PID 2084 wrote to memory of 644 2084 4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe cmd.exe PID 644 wrote to memory of 2972 644 cmd.exe taskkill.exe PID 644 wrote to memory of 2972 644 cmd.exe taskkill.exe PID 644 wrote to memory of 2972 644 cmd.exe taskkill.exe PID 644 wrote to memory of 2116 644 cmd.exe PING.EXE PID 644 wrote to memory of 2116 644 cmd.exe PING.EXE PID 644 wrote to memory of 2116 644 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe"1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta"2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "4f9dbed0c196736850754a608ca45fa9_JaffaCakes118.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.htaFilesize
61KB
MD51d66a97bd50aa33ab97dbc8125ed5aa5
SHA18a3142aeee4ecdb21b2ea531dc6fd8dc4833be0a
SHA2561eaeb968dc32e6e01b09b5e7ee7a9e64b04fc829becb0b2fc7a5a57069cc68c8
SHA5121e22722ce620e18154b247ab8b67af840285b7586f3a495162d920bb6364bc48affa759aed45ec2271ea7ebab509f71193d43efcd1ea9ed4d1207bc5ba1df081
-
memory/2084-301-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-346-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-298-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-8-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-9-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-1-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-286-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-289-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-292-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-304-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-7-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-6-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-295-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-307-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-310-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-313-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-316-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-319-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-322-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-325-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-328-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-332-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2084-0-0x0000000000160000-0x000000000018E000-memory.dmpFilesize
184KB