Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 00:03
Static task
static1
Behavioral task
behavioral1
Sample
69153229a224c99a9b40294992d0647b_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
69153229a224c99a9b40294992d0647b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
69153229a224c99a9b40294992d0647b_JaffaCakes118.exe
-
Size
345KB
-
MD5
69153229a224c99a9b40294992d0647b
-
SHA1
7d44a1e0f6baacf40c008c2178b2485fca6a3036
-
SHA256
218a795106b30706f8706b35374141691150acef379227e9310ea5e7ce79827b
-
SHA512
f88d93698b19fb77947a9e684d7d3cfd521831333d2223297ac187e93aabd3a5fba4dcec9279f0a6670df9a213bd2d1431b08dd531108715abeeaa23b9b0c158
-
SSDEEP
6144:p2NW40bKvfNHvJJ4q5kYoVNAHvditx5sxj3pix3+dC5ONWIWCF9lSde4uGUBKEO:p284hfNPUngvx9ixOdFoIWCblo3nEO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
update.exepid process 1644 update.exe -
Loads dropped DLL 4 IoCs
Processes:
69153229a224c99a9b40294992d0647b_JaffaCakes118.exeupdate.exepid process 2360 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe 1644 update.exe 1644 update.exe 1644 update.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
69153229a224c99a9b40294992d0647b_JaffaCakes118.exedescription ioc process File opened (read-only) \??\i: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\k: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\o: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\p: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\q: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\b: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\g: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\h: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\u: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\z: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\w: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\x: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\y: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\a: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\j: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\s: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\l: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\v: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\r: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\t: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\e: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\m: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe File opened (read-only) \??\n: 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
update.exedescription ioc process File opened for modification C:\Windows\KB822603.log update.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
update.exedescription pid process Token: SeRestorePrivilege 1644 update.exe Token: SeRestorePrivilege 1644 update.exe Token: SeRestorePrivilege 1644 update.exe Token: SeRestorePrivilege 1644 update.exe Token: SeRestorePrivilege 1644 update.exe Token: SeRestorePrivilege 1644 update.exe Token: SeRestorePrivilege 1644 update.exe Token: SeBackupPrivilege 1644 update.exe Token: SeRestorePrivilege 1644 update.exe Token: SeShutdownPrivilege 1644 update.exe Token: SeSecurityPrivilege 1644 update.exe Token: SeTakeOwnershipPrivilege 1644 update.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
69153229a224c99a9b40294992d0647b_JaffaCakes118.exedescription pid process target process PID 2360 wrote to memory of 1644 2360 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe update.exe PID 2360 wrote to memory of 1644 2360 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe update.exe PID 2360 wrote to memory of 1644 2360 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe update.exe PID 2360 wrote to memory of 1644 2360 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe update.exe PID 2360 wrote to memory of 1644 2360 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe update.exe PID 2360 wrote to memory of 1644 2360 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe update.exe PID 2360 wrote to memory of 1644 2360 69153229a224c99a9b40294992d0647b_JaffaCakes118.exe update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69153229a224c99a9b40294992d0647b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\69153229a224c99a9b40294992d0647b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\14e2bc7d2b0a2d975acefb65cb\update\update.exec:\14e2bc7d2b0a2d975acefb65cb\update\update.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
411KB
MD5918f548704dea6917a2fcf719d715596
SHA1c8d0ed3b3e4ea7c5946fb6fb84b19b374930c673
SHA2565bc84e81cc2164f8eb6ac540da01be55be0fc31a966be57b31acd17164cbc770
SHA512d68affe0e1aa684cecbc8341c9c1d179b750fa4aca88f0fcaa5fff659c5651811ab6c02bbff53d9023fc545875084f73e62a3bbad9c501935e9cd3afbf1df0c0
-
Filesize
4KB
MD530e39e98c98c84635f94b4302fd40f85
SHA151eb8fe6219aa91d90fcf105ea7640b806c438e2
SHA25670fab8484d99ad0a6effab6137a0db3af491a16f41ac44665aadb71699291abb
SHA51203a7f5f65b6678e08bd275d113eaddf9b97a972c033137a2d794bbccbd5b92a8bb518d7430c8caad5729ede8ba4d878f8c3ece3e317220242d6795ca4514f84d