Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 11:19
Behavioral task
behavioral1
Sample
6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe
-
Size
1018KB
-
MD5
6ac52086b2353d329f2c6b96dfc4b2bd
-
SHA1
c9ab0a3a4c3439d15ad30a6ea0ad738296853b24
-
SHA256
ceb8e3b6055c093d73b740ec68aeb2b35688c70ead8d53f9221c677049213905
-
SHA512
c86f4ce9c915419fe4f43af577ac930413665e4ae9df7453047abe445a08f3910a2e7929d580ba57ecf694302e4f08949ca24278e5f463cc947f32036979f6ff
-
SSDEEP
24576:ar4FsOULhhUF54clNf7CokNLQyhFoCRsAz:+o54clMSuNj
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
resource yara_rule behavioral1/memory/2256-1-0x0000000000AA0000-0x0000000000BA4000-memory.dmp family_echelon -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe Decoder.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe Decoder.exe -
Executes dropped EXE 2 IoCs
pid Process 2612 Decoder.exe 399740 systems32.exe -
resource yara_rule behavioral1/files/0x0035000000015d7f-20.dat vmprotect behavioral1/memory/2612-21-0x00000000001C0000-0x00000000001F2000-memory.dmp vmprotect behavioral1/memory/399740-34-0x0000000000840000-0x0000000000872000-memory.dmp vmprotect -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 401284 schtasks.exe 108 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 2460 timeout.exe 2868 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2612 Decoder.exe 399740 systems32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2256 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe Token: SeDebugPrivilege 2612 Decoder.exe Token: SeDebugPrivilege 399740 systems32.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2612 2256 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 29 PID 2256 wrote to memory of 2612 2256 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 29 PID 2256 wrote to memory of 2612 2256 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 29 PID 2256 wrote to memory of 2072 2256 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 30 PID 2256 wrote to memory of 2072 2256 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 30 PID 2256 wrote to memory of 2072 2256 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 30 PID 2256 wrote to memory of 2560 2256 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 31 PID 2256 wrote to memory of 2560 2256 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 31 PID 2256 wrote to memory of 2560 2256 6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe 31 PID 2072 wrote to memory of 2460 2072 cmd.exe 34 PID 2072 wrote to memory of 2460 2072 cmd.exe 34 PID 2072 wrote to memory of 2460 2072 cmd.exe 34 PID 2560 wrote to memory of 2868 2560 cmd.exe 35 PID 2560 wrote to memory of 2868 2560 cmd.exe 35 PID 2560 wrote to memory of 2868 2560 cmd.exe 35 PID 2612 wrote to memory of 108 2612 Decoder.exe 36 PID 2612 wrote to memory of 108 2612 Decoder.exe 36 PID 2612 wrote to memory of 108 2612 Decoder.exe 36 PID 398692 wrote to memory of 399740 398692 taskeng.exe 39 PID 398692 wrote to memory of 399740 398692 taskeng.exe 39 PID 398692 wrote to memory of 399740 398692 taskeng.exe 39 PID 399740 wrote to memory of 401284 399740 systems32.exe 40 PID 399740 wrote to memory of 401284 399740 systems32.exe 40 PID 399740 wrote to memory of 401284 399740 systems32.exe 40 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ac52086b2353d329f2c6b96dfc4b2bd_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f3⤵
- Creates scheduled task(s)
PID:108
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:2460
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3044.tmp.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:2868
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {1D5C8D2A-5989-44AB-B280-DD62B2F365E5} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:398692 -
C:\systems32_bit\systems32.exe\systems32_bit\systems32.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:399740 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f3⤵
- Creates scheduled task(s)
PID:401284
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD521998709466c12a52cbc5aff86744aae
SHA15cbb11d167af1e1e1d10f920b084e26a89d5441f
SHA25696d5aff39e576f94994c005b9b7db5d41a6f8db9505f4a462d259f2141830c03
SHA51275398142630308dcf5d90f75b5eafab0a182d63522626cff3798973ab098fc80fda1c767aa6c14649951a54130b8ac12bdcfd8d2e09e01b8cbd91b552b8a3862
-
Filesize
28B
MD5217407484aac2673214337def8886072
SHA10f8c4c94064ce1f7538c43987feb5bb2d7fec0c6
SHA256467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797
SHA5128466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330
-
Filesize
131B
MD5c7b40a7a8156723e74683d7166943a68
SHA139b66511d5e79a8fbe572de80ef55e3ab4ab365f
SHA256c92eae6a38bace9a91dcaa08c973d38c58c3befef037da3421374b9d98e90ce8
SHA5129627592c2796052471611851046fdb9b0c8f1d51108de5ef1b6402255a1c6e9206e2f0e1c29504294cc2fa1d3bbd148ce740cc27bd23a7202acf53fcfd10b69b