Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 20:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
6 signatures
150 seconds
General
-
Target
60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
-
Size
144KB
-
MD5
60f308c539feac706dcd2c85831771cb
-
SHA1
862d8459c8114216aee8794282dc0cf457630c97
-
SHA256
955c85525dae7239e7014520cf100f59f9303ef86c9dcd3449d36673de364857
-
SHA512
ed08e61e2c1aa7659a9421dc963e047ed0ad89318388af50fbe46303cafa1d4962dee4fb97f54dc060a72b79faf6168c71158d6ffb924d7a6b4062fbb62a049b
-
SSDEEP
3072:Dlll3NCpoO6BfDbCgwF+a5p1n4eM2kXjSBGNREQW:DhocfDbC/Fr4PzSBGNRL
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2348 svchost.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
60f308c539feac706dcd2c85831771cb_JaffaCakes118.exesvchost.exepid process 1972 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe 1972 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe 2348 svchost.exe 2348 svchost.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
whoami.exedescription pid process Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe Token: SeDebugPrivilege 2052 whoami.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
60f308c539feac706dcd2c85831771cb_JaffaCakes118.exesvchost.exedescription pid process target process PID 1972 wrote to memory of 2348 1972 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe svchost.exe PID 1972 wrote to memory of 2348 1972 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe svchost.exe PID 1972 wrote to memory of 2348 1972 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe svchost.exe PID 1972 wrote to memory of 2348 1972 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe svchost.exe PID 1972 wrote to memory of 2348 1972 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe svchost.exe PID 2348 wrote to memory of 2052 2348 svchost.exe whoami.exe PID 2348 wrote to memory of 2052 2348 svchost.exe whoami.exe PID 2348 wrote to memory of 2052 2348 svchost.exe whoami.exe PID 2348 wrote to memory of 2052 2348 svchost.exe whoami.exe PID 2348 wrote to memory of 2572 2348 svchost.exe net.exe PID 2348 wrote to memory of 2572 2348 svchost.exe net.exe PID 2348 wrote to memory of 2572 2348 svchost.exe net.exe PID 2348 wrote to memory of 2572 2348 svchost.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\whoami.exeC:\Windows\system32\whoami.exe /all3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe view3⤵
- Discovers systems in the same network
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1972-4-0x00000000001D0000-0x00000000001F5000-memory.dmpFilesize
148KB
-
memory/1972-1-0x0000000000130000-0x0000000000136000-memory.dmpFilesize
24KB
-
memory/1972-0-0x00000000001D0000-0x00000000001F5000-memory.dmpFilesize
148KB
-
memory/2348-9-0x0000000001E50000-0x0000000001E75000-memory.dmpFilesize
148KB
-
memory/2348-5-0x0000000076339000-0x000000007633A000-memory.dmpFilesize
4KB
-
memory/2348-8-0x0000000001E50000-0x0000000001E75000-memory.dmpFilesize
148KB
-
memory/2348-2-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/2348-7-0x0000000001E50000-0x0000000001E75000-memory.dmpFilesize
148KB
-
memory/2348-6-0x0000000001E50000-0x0000000001E75000-memory.dmpFilesize
148KB
-
memory/2348-13-0x0000000001E50000-0x0000000001E75000-memory.dmpFilesize
148KB
-
memory/2348-12-0x0000000001E50000-0x0000000001E75000-memory.dmpFilesize
148KB
-
memory/2348-11-0x0000000001E50000-0x0000000001E75000-memory.dmpFilesize
148KB
-
memory/2348-18-0x00000000762B0000-0x00000000763C0000-memory.dmpFilesize
1.1MB
-
memory/2348-10-0x0000000001E50000-0x0000000001E75000-memory.dmpFilesize
148KB