Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 01:10
Static task
static1
Behavioral task
behavioral1
Sample
693ece4bce6c9a9c6d3462bf0646e0ba_JaffaCakes118.jad
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
693ece4bce6c9a9c6d3462bf0646e0ba_JaffaCakes118.jad
Resource
win10v2004-20240426-en
General
-
Target
693ece4bce6c9a9c6d3462bf0646e0ba_JaffaCakes118.jad
-
Size
70KB
-
MD5
693ece4bce6c9a9c6d3462bf0646e0ba
-
SHA1
caa2d463e70dc20b169aabf73168ad52bd5cb194
-
SHA256
a8c5e6bfdcf8346da233bc29b254aa36e3f554a5a524fc4772ac659d5be7d8f5
-
SHA512
6051f565d022b6c4c207f85f281b7982caf81346772d73276df008824589f4add6801c312fa68218a76c88cdaf6d585bded92fb2a4f174e3bc8824e2793a22d9
-
SSDEEP
1536:exY2pxBWG1vAxhEopGgI9QZIS/NmzJsej5yh:cVhYV8gIvimzJseFyh
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\jad_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.jad rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\jad_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\jad_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\jad_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.jad\ = "jad_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\jad_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\jad_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2976 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2976 AcroRd32.exe 2976 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2196 wrote to memory of 2604 2196 cmd.exe rundll32.exe PID 2196 wrote to memory of 2604 2196 cmd.exe rundll32.exe PID 2196 wrote to memory of 2604 2196 cmd.exe rundll32.exe PID 2604 wrote to memory of 2976 2604 rundll32.exe AcroRd32.exe PID 2604 wrote to memory of 2976 2604 rundll32.exe AcroRd32.exe PID 2604 wrote to memory of 2976 2604 rundll32.exe AcroRd32.exe PID 2604 wrote to memory of 2976 2604 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\693ece4bce6c9a9c6d3462bf0646e0ba_JaffaCakes118.jad1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\693ece4bce6c9a9c6d3462bf0646e0ba_JaffaCakes118.jad2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\693ece4bce6c9a9c6d3462bf0646e0ba_JaffaCakes118.jad"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5eee7445dcf4ee946b691e1e8e87c79c4
SHA1c441aa700169af2f3705025cde9b2bab0cc31356
SHA256a06c915cfd1da4208f6aad715060ef3b4a91b5a14d7a12cd973b8e009e4bcd5b
SHA512443687fb25a4c5d0468f229667a8d291023ca8239198d5f7392d23f455c1ad37bb4c941294c624ca5d198c3f29ce77ce1acb5c621fb333783b7858d5275addfb