Analysis
-
max time kernel
145s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 20:31
Static task
static1
Behavioral task
behavioral1
Sample
5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
5b51fcb93e6d3718bba97e531ba8ad2d
-
SHA1
3ea027b5382e84f2936fc688781de0a2fc167db1
-
SHA256
b2d23e455eb56451966097d786f7b7e3a056e693f7811b179147da1603850aef
-
SHA512
76242227fc5b7d07973c45ae541eb050e212e9136cd5b1b8abbf9c963d1493f5333bdcffcf6029c04ba81dd7e5d9f9330f67038d82ff80ab7d1b677e69e679d8
-
SSDEEP
12288:EQbgTLDAmuSRNHNwmFUMJW48HGO+hfuQ/c0TQyZKpL9GQ5Qw:EQkTLMmuSRNHNwmFUEZ4GOIft/1Qp9GA
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" 5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
mstsc.exedescription ioc process File opened (read-only) \??\G: mstsc.exe File opened (read-only) \??\S: mstsc.exe File opened (read-only) \??\Y: mstsc.exe File opened (read-only) \??\Z: mstsc.exe File opened (read-only) \??\A: mstsc.exe File opened (read-only) \??\I: mstsc.exe File opened (read-only) \??\O: mstsc.exe File opened (read-only) \??\P: mstsc.exe File opened (read-only) \??\U: mstsc.exe File opened (read-only) \??\E: mstsc.exe File opened (read-only) \??\H: mstsc.exe File opened (read-only) \??\L: mstsc.exe File opened (read-only) \??\M: mstsc.exe File opened (read-only) \??\N: mstsc.exe File opened (read-only) \??\T: mstsc.exe File opened (read-only) \??\V: mstsc.exe File opened (read-only) \??\B: mstsc.exe File opened (read-only) \??\J: mstsc.exe File opened (read-only) \??\K: mstsc.exe File opened (read-only) \??\Q: mstsc.exe File opened (read-only) \??\R: mstsc.exe File opened (read-only) \??\W: mstsc.exe File opened (read-only) \??\X: mstsc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exemstsc.exedescription pid process target process PID 340 set thread context of 2580 340 5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe mstsc.exe PID 2580 set thread context of 2708 2580 mstsc.exe iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mstsc.exepid process 2592 mstsc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exemstsc.exeiexplore.exedescription pid process target process PID 340 wrote to memory of 2580 340 5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe mstsc.exe PID 340 wrote to memory of 2580 340 5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe mstsc.exe PID 340 wrote to memory of 2580 340 5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe mstsc.exe PID 340 wrote to memory of 2580 340 5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe mstsc.exe PID 340 wrote to memory of 2580 340 5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe mstsc.exe PID 340 wrote to memory of 2580 340 5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe mstsc.exe PID 2580 wrote to memory of 2708 2580 mstsc.exe iexplore.exe PID 2580 wrote to memory of 2708 2580 mstsc.exe iexplore.exe PID 2580 wrote to memory of 2708 2580 mstsc.exe iexplore.exe PID 2580 wrote to memory of 2708 2580 mstsc.exe iexplore.exe PID 2580 wrote to memory of 2708 2580 mstsc.exe iexplore.exe PID 2580 wrote to memory of 2708 2580 mstsc.exe iexplore.exe PID 2580 wrote to memory of 2708 2580 mstsc.exe iexplore.exe PID 2580 wrote to memory of 2708 2580 mstsc.exe iexplore.exe PID 2580 wrote to memory of 2708 2580 mstsc.exe iexplore.exe PID 2580 wrote to memory of 2708 2580 mstsc.exe iexplore.exe PID 2708 wrote to memory of 2592 2708 iexplore.exe mstsc.exe PID 2708 wrote to memory of 2592 2708 iexplore.exe mstsc.exe PID 2708 wrote to memory of 2592 2708 iexplore.exe mstsc.exe PID 2708 wrote to memory of 2592 2708 iexplore.exe mstsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\mstsc.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
PID:2592