Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 11:12
Static task
static1
Behavioral task
behavioral1
Sample
6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe
-
Size
98KB
-
MD5
6ac062d21f08f139d9f3d1e335e72e22
-
SHA1
9e967a759e894a83c4b693e81c031d7214a8e699
-
SHA256
564154a2e3647318ca40a5ffa68d06b1bd40b606cae1d15985e3d15097b512cd
-
SHA512
0a02068f6e22a41f4037d01882e32fc7bacf515818cf4f721960b987393da6b1d32ff4aa1b5fa73d546908cb85ded211061b37f4731ed643b8182909008a6892
-
SSDEEP
1536:0bPX/gJxDFgu02gM+LXbtQ5IxWwbglROAnbFmYVKCKclF:0cxz1gxXSNwbYcYVKhYF
Malware Config
Extracted
C:\PerfLogs\# How to Decrypt Files-S9HRF.html
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
krakentemp0000.exepid process 2648 krakentemp0000.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Payload = "C:\\Users\\Admin\\AppData\\Local\\Temp\\krakentemp0000.exe" 6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ipinfo.io 10 ipinfo.io 4 ipinfo.io 5 ipinfo.io 6 ipinfo.io 7 ipinfo.io 8 ipinfo.io -
Drops file in Program Files directory 2 IoCs
Processes:
krakentemp0000.exedescription ioc process File created C:\Program Files\Touch krakentemp0000.exe File created C:\Program Files (x86)\Touch krakentemp0000.exe -
Drops file in Windows directory 1 IoCs
Processes:
krakentemp0000.exedescription ioc process File created C:\Windows\Touch krakentemp0000.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies registry class 5 IoCs
Processes:
6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mscfile 6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mscfile\shell 6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mscfile\shell\open 6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\krakentemp0000.exe" 6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\mscfile\shell\open\command 6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
krakentemp0000.exetasklist.exepid process 2648 krakentemp0000.exe 2648 krakentemp0000.exe 2648 krakentemp0000.exe 2648 krakentemp0000.exe 2648 krakentemp0000.exe 2648 krakentemp0000.exe 2648 krakentemp0000.exe 2648 krakentemp0000.exe 2648 krakentemp0000.exe 2648 krakentemp0000.exe 2648 krakentemp0000.exe 3068 tasklist.exe 3068 tasklist.exe 2648 krakentemp0000.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
krakentemp0000.exetasklist.exedescription pid process Token: SeDebugPrivilege 2648 krakentemp0000.exe Token: SeIncBasePriorityPrivilege 2648 krakentemp0000.exe Token: SeDebugPrivilege 3068 tasklist.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exeeventvwr.exekrakentemp0000.execmd.exedescription pid process target process PID 2836 wrote to memory of 2516 2836 6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe eventvwr.exe PID 2836 wrote to memory of 2516 2836 6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe eventvwr.exe PID 2836 wrote to memory of 2516 2836 6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe eventvwr.exe PID 2516 wrote to memory of 2648 2516 eventvwr.exe krakentemp0000.exe PID 2516 wrote to memory of 2648 2516 eventvwr.exe krakentemp0000.exe PID 2516 wrote to memory of 2648 2516 eventvwr.exe krakentemp0000.exe PID 2516 wrote to memory of 2648 2516 eventvwr.exe krakentemp0000.exe PID 2648 wrote to memory of 3068 2648 krakentemp0000.exe tasklist.exe PID 2648 wrote to memory of 3068 2648 krakentemp0000.exe tasklist.exe PID 2648 wrote to memory of 3068 2648 krakentemp0000.exe tasklist.exe PID 2648 wrote to memory of 3068 2648 krakentemp0000.exe tasklist.exe PID 2648 wrote to memory of 1876 2648 krakentemp0000.exe cmd.exe PID 2648 wrote to memory of 1876 2648 krakentemp0000.exe cmd.exe PID 2648 wrote to memory of 1876 2648 krakentemp0000.exe cmd.exe PID 2648 wrote to memory of 1876 2648 krakentemp0000.exe cmd.exe PID 1876 wrote to memory of 1676 1876 cmd.exe PING.EXE PID 1876 wrote to memory of 1676 1876 cmd.exe PING.EXE PID 1876 wrote to memory of 1676 1876 cmd.exe PING.EXE PID 1876 wrote to memory of 1676 1876 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ac062d21f08f139d9f3d1e335e72e22_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\System32\eventvwr.exe"C:\Windows\System32\eventvwr.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\krakentemp0000.exe"C:\Users\Admin\AppData\Local\Temp\krakentemp0000.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\tasklist.exe"tasklist" /V /FO CSV4⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 3 > NUL&&del /Q /F /S "C:\Users\Admin\AppData\Local\Temp\krakentemp0000.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 35⤵
- Runs ping.exe
PID:1676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\# How to Decrypt Files-S9HRF.htmlFilesize
9KB
MD583ef98ab324a835586867432b720b477
SHA1e18847b5508efff9d5d5def52f13633ec6cc37d6
SHA256bb238a1ba75a264d80ba8eb6162f3ac4654ae370e7604c9111edf10a95c70a03
SHA512b09878ebdd7474144a20d294e6e41f32884373bff3f2abc6758da0ce22f94d9123540bf906f4e7304b4d1ebfba9b1caa5ad6d64c3a8e720c02b1eacd1e201c19
-
C:\Users\Admin\AppData\Local\Temp\krakentemp0000.exeFilesize
91KB
MD5b8665cf00d32352ee83ceb189595a753
SHA1669605b2968e3eca80c9366f973dc589057227e5
SHA2567e0ee0e707db426eaf25bd0924631db969bb03dd9b13addffbcc33311a3b9aa7
SHA512de6ec58e018a8db2538c0e5ae3942ea3ec370a9724e2f734e5c3898d8867213f25116a7793309e87c04548d1180aeb7d57bda37c0d60c4f3d2fa390e509f1a28
-
memory/2648-6-0x0000000000190000-0x00000000001D0000-memory.dmpFilesize
256KB
-
memory/2648-426-0x0000000000190000-0x00000000001D0000-memory.dmpFilesize
256KB
-
memory/2836-0-0x000007FEF5DFE000-0x000007FEF5DFF000-memory.dmpFilesize
4KB
-
memory/2836-2-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmpFilesize
9.6MB
-
memory/2836-5-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmpFilesize
9.6MB