Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 17:42
Static task
static1
Behavioral task
behavioral1
Sample
5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe
-
Size
879KB
-
MD5
5aa3e5eafe9fe3da717d5996a830cd14
-
SHA1
5c6bb95199209778cb31a710cdcb4a48aeeb3e6e
-
SHA256
668bfc84804f44313ed60e9a4f06eeeedbc009f779f620673025f54cf1d7ac02
-
SHA512
ccd855646dad4b561556818592c863079f55aa8b82935c75b6d7fbc3358e9107cdef6e39802988fc897410b499073014e09a608fc36b2923ed05019096851f7d
-
SSDEEP
12288:68XrFMOLZBoEL2R0SSDGootOCA/OR2AyBf7xXsXdV+Tf/6SHNGSsf9g2Q0jC+/f1:68Xr+EJL2RkDGOHOEZfN8Sj/9dmx2+V
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
FB_D1A2.tmp.exe20mcos.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" FB_D1A2.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" 20mcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" 20mcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" FB_D1A2.tmp.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
FB_D1A2.tmp.exe20mcos.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run FB_D1A2.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\20mcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" FB_D1A2.tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 20mcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\20mcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" 20mcos.exe -
Executes dropped EXE 3 IoCs
Processes:
FB_D153.tmp.exeFB_D1A2.tmp.exe20mcos.exepid process 2468 FB_D153.tmp.exe 2564 FB_D1A2.tmp.exe 2680 20mcos.exe -
Loads dropped DLL 6 IoCs
Processes:
diskperf.execmd.exepid process 2756 diskperf.exe 2756 diskperf.exe 2756 diskperf.exe 2756 diskperf.exe 832 cmd.exe 832 cmd.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exeFB_D1A2.tmp.exe20mcos.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" 5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\20mcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" FB_D1A2.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\20mcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" FB_D1A2.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\20mcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" 20mcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\20mcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\20mcos\\20mcos.exe\"" 20mcos.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
FB_D1A2.tmp.exe20mcos.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ FB_D1A2.tmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ 20mcos.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe20mcos.exedescription pid process target process PID 2472 set thread context of 2756 2472 5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe diskperf.exe PID 2680 set thread context of 1600 2680 20mcos.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 1600 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1600 iexplore.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
iexplore.exepid process 1600 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 1600 iexplore.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exediskperf.exeFB_D1A2.tmp.exeWScript.execmd.exe20mcos.exedescription pid process target process PID 2472 wrote to memory of 2756 2472 5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe diskperf.exe PID 2472 wrote to memory of 2756 2472 5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe diskperf.exe PID 2472 wrote to memory of 2756 2472 5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe diskperf.exe PID 2472 wrote to memory of 2756 2472 5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe diskperf.exe PID 2472 wrote to memory of 2756 2472 5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe diskperf.exe PID 2472 wrote to memory of 2756 2472 5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe diskperf.exe PID 2756 wrote to memory of 2468 2756 diskperf.exe FB_D153.tmp.exe PID 2756 wrote to memory of 2468 2756 diskperf.exe FB_D153.tmp.exe PID 2756 wrote to memory of 2468 2756 diskperf.exe FB_D153.tmp.exe PID 2756 wrote to memory of 2468 2756 diskperf.exe FB_D153.tmp.exe PID 2756 wrote to memory of 2564 2756 diskperf.exe FB_D1A2.tmp.exe PID 2756 wrote to memory of 2564 2756 diskperf.exe FB_D1A2.tmp.exe PID 2756 wrote to memory of 2564 2756 diskperf.exe FB_D1A2.tmp.exe PID 2756 wrote to memory of 2564 2756 diskperf.exe FB_D1A2.tmp.exe PID 2564 wrote to memory of 1612 2564 FB_D1A2.tmp.exe WScript.exe PID 2564 wrote to memory of 1612 2564 FB_D1A2.tmp.exe WScript.exe PID 2564 wrote to memory of 1612 2564 FB_D1A2.tmp.exe WScript.exe PID 2564 wrote to memory of 1612 2564 FB_D1A2.tmp.exe WScript.exe PID 1612 wrote to memory of 832 1612 WScript.exe cmd.exe PID 1612 wrote to memory of 832 1612 WScript.exe cmd.exe PID 1612 wrote to memory of 832 1612 WScript.exe cmd.exe PID 1612 wrote to memory of 832 1612 WScript.exe cmd.exe PID 832 wrote to memory of 2680 832 cmd.exe 20mcos.exe PID 832 wrote to memory of 2680 832 cmd.exe 20mcos.exe PID 832 wrote to memory of 2680 832 cmd.exe 20mcos.exe PID 832 wrote to memory of 2680 832 cmd.exe 20mcos.exe PID 2680 wrote to memory of 1600 2680 20mcos.exe iexplore.exe PID 2680 wrote to memory of 1600 2680 20mcos.exe iexplore.exe PID 2680 wrote to memory of 1600 2680 20mcos.exe iexplore.exe PID 2680 wrote to memory of 1600 2680 20mcos.exe iexplore.exe PID 2680 wrote to memory of 1600 2680 20mcos.exe iexplore.exe PID 2680 wrote to memory of 1600 2680 20mcos.exe iexplore.exe PID 2680 wrote to memory of 1600 2680 20mcos.exe iexplore.exe PID 2680 wrote to memory of 1600 2680 20mcos.exe iexplore.exe PID 2680 wrote to memory of 1600 2680 20mcos.exe iexplore.exe PID 2680 wrote to memory of 1600 2680 20mcos.exe iexplore.exe PID 2680 wrote to memory of 1600 2680 20mcos.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5aa3e5eafe9fe3da717d5996a830cd14_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\FB_D153.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_D153.tmp.exe"3⤵
- Executes dropped EXE
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\FB_D1A2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_D1A2.tmp.exe"3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\20mcos\20mcos.exe"5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Roaming\20mcos\20mcos.exeC:\Users\Admin\AppData\Roaming\20mcos\20mcos.exe6⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"7⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD574bafb3e707c7b0c63938ac200f99c7f
SHA110c5506337845ed9bf25c73d2506f9c15ab8e608
SHA256129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689
SHA5125b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781
-
Filesize
124KB
MD5663817126bcbfb5363e1ccf899d7e25c
SHA1a4ddb193cc750325dc01817966a29b77fbde88c4
SHA256f08db58c7ae0bf65ecf99e1bb5c1576692172ee59ba2c8f6bfda8580ca443a06
SHA512b28f7b6b09694e621baac7d02a873fb6775e90b6d1a04acf36d8b94aa49d3b042114c396ef5aff95af4e40c777399a2999a023373d2011fbfaf8c59b91751b7e
-
Filesize
552B
MD5ab204a194535707e8bca051e71731700
SHA1df8aae24bca6f9f09a79c30db419ac91a922cf8e
SHA256b1cd941e515461c9fa7cb85cd95bff3b8dafe64369990d642088bdb67a3949d4
SHA5128a8da7b29b4f6a071c59faa96a12fd6186475d419ceaf9a97018f916cc7c43c12815bbcde78edf2b728e65bcded9209d3d4c4689f898e1de66bc96ef0bc2f143
-
Filesize
117B
MD565e4fb1c8168a56188f48f0f407573cd
SHA132f4fa34c0a390d6ff4ef8ea7a8c8a15bfd6deed
SHA2567d52c288b8a2d78f5eb802ce01f9118ff6bf8effef0dd3f88abceea2b8b285a3
SHA512a0de29fd9c107318e623e938bf129e2b4d3b4d6d5f8fedc8bfbda7290e12f2628a8392669685af5ed7a7e274b350385bc0c292265387633a3215dcecd4e11402