Analysis
-
max time kernel
138s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 20:11
Static task
static1
Behavioral task
behavioral1
Sample
76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe
-
Size
362KB
-
MD5
76af348518fffd3b633694751d5e6e90
-
SHA1
880e2d4f647bee68d8edd2a2b649be480e5a1c9a
-
SHA256
f8e2445d5187846a19b9138cf18a51cc2b8d590d95af57ee57bbaa68cbe8fe39
-
SHA512
c837e7e7c45e10ddb0ca5fe6bd177b9fbea8b31ece840b3ba638fe20b5a07d57db3bce73ebdbcfa8b7b42938984c5d3e916a481f120780ba7fab3d3b2ce47bd0
-
SSDEEP
6144:FraWkc+CrdYzNJdL38Lv1E0/Vxu1g+a/ko/+ymQVtWphD+iLiZqY+BUoEBEjMcWw:VaWh+uSzNJ21Fu1gFZIQVspzBpBUo/j9
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Run.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Run.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" Run.exe -
Executes dropped EXE 12 IoCs
pid Process 2652 Run.exe 2648 rssvnc.exe 2724 rssvnc.exe 2644 rssvnc.exe 2612 rssvnc.exe 1740 rssvnc.exe 1952 rssvnc.exe 1552 rssvnc.exe 2116 rssvnc.exe 2084 rssvnc.exe 560 rssvnc.exe 1488 rssvnc.exe -
Loads dropped DLL 47 IoCs
pid Process 1368 76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2648 rssvnc.exe 2648 rssvnc.exe 2652 Run.exe 2652 Run.exe 2724 rssvnc.exe 2724 rssvnc.exe 2652 Run.exe 2652 Run.exe 2644 rssvnc.exe 2644 rssvnc.exe 2652 Run.exe 2652 Run.exe 2612 rssvnc.exe 2612 rssvnc.exe 2652 Run.exe 2652 Run.exe 1740 rssvnc.exe 1740 rssvnc.exe 2652 Run.exe 2652 Run.exe 1952 rssvnc.exe 1952 rssvnc.exe 2652 Run.exe 2652 Run.exe 1552 rssvnc.exe 1552 rssvnc.exe 2652 Run.exe 2652 Run.exe 2116 rssvnc.exe 2116 rssvnc.exe 2652 Run.exe 2652 Run.exe 2084 rssvnc.exe 2084 rssvnc.exe 2652 Run.exe 2652 Run.exe 560 rssvnc.exe 560 rssvnc.exe 2652 Run.exe 2652 Run.exe 1488 rssvnc.exe 1488 rssvnc.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Run.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Run.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" Run.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe 2652 Run.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2652 Run.exe 2652 Run.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1368 wrote to memory of 2652 1368 76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe 28 PID 1368 wrote to memory of 2652 1368 76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe 28 PID 1368 wrote to memory of 2652 1368 76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe 28 PID 1368 wrote to memory of 2652 1368 76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe 28 PID 1368 wrote to memory of 2652 1368 76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe 28 PID 1368 wrote to memory of 2652 1368 76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe 28 PID 1368 wrote to memory of 2652 1368 76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe 28 PID 2652 wrote to memory of 2648 2652 Run.exe 29 PID 2652 wrote to memory of 2648 2652 Run.exe 29 PID 2652 wrote to memory of 2648 2652 Run.exe 29 PID 2652 wrote to memory of 2648 2652 Run.exe 29 PID 2652 wrote to memory of 2648 2652 Run.exe 29 PID 2652 wrote to memory of 2648 2652 Run.exe 29 PID 2652 wrote to memory of 2648 2652 Run.exe 29 PID 2652 wrote to memory of 2724 2652 Run.exe 30 PID 2652 wrote to memory of 2724 2652 Run.exe 30 PID 2652 wrote to memory of 2724 2652 Run.exe 30 PID 2652 wrote to memory of 2724 2652 Run.exe 30 PID 2652 wrote to memory of 2724 2652 Run.exe 30 PID 2652 wrote to memory of 2724 2652 Run.exe 30 PID 2652 wrote to memory of 2724 2652 Run.exe 30 PID 2652 wrote to memory of 2644 2652 Run.exe 31 PID 2652 wrote to memory of 2644 2652 Run.exe 31 PID 2652 wrote to memory of 2644 2652 Run.exe 31 PID 2652 wrote to memory of 2644 2652 Run.exe 31 PID 2652 wrote to memory of 2644 2652 Run.exe 31 PID 2652 wrote to memory of 2644 2652 Run.exe 31 PID 2652 wrote to memory of 2644 2652 Run.exe 31 PID 2652 wrote to memory of 2612 2652 Run.exe 32 PID 2652 wrote to memory of 2612 2652 Run.exe 32 PID 2652 wrote to memory of 2612 2652 Run.exe 32 PID 2652 wrote to memory of 2612 2652 Run.exe 32 PID 2652 wrote to memory of 2612 2652 Run.exe 32 PID 2652 wrote to memory of 2612 2652 Run.exe 32 PID 2652 wrote to memory of 2612 2652 Run.exe 32 PID 2652 wrote to memory of 1740 2652 Run.exe 35 PID 2652 wrote to memory of 1740 2652 Run.exe 35 PID 2652 wrote to memory of 1740 2652 Run.exe 35 PID 2652 wrote to memory of 1740 2652 Run.exe 35 PID 2652 wrote to memory of 1740 2652 Run.exe 35 PID 2652 wrote to memory of 1740 2652 Run.exe 35 PID 2652 wrote to memory of 1740 2652 Run.exe 35 PID 2652 wrote to memory of 1952 2652 Run.exe 36 PID 2652 wrote to memory of 1952 2652 Run.exe 36 PID 2652 wrote to memory of 1952 2652 Run.exe 36 PID 2652 wrote to memory of 1952 2652 Run.exe 36 PID 2652 wrote to memory of 1952 2652 Run.exe 36 PID 2652 wrote to memory of 1952 2652 Run.exe 36 PID 2652 wrote to memory of 1952 2652 Run.exe 36 PID 2652 wrote to memory of 1552 2652 Run.exe 37 PID 2652 wrote to memory of 1552 2652 Run.exe 37 PID 2652 wrote to memory of 1552 2652 Run.exe 37 PID 2652 wrote to memory of 1552 2652 Run.exe 37 PID 2652 wrote to memory of 1552 2652 Run.exe 37 PID 2652 wrote to memory of 1552 2652 Run.exe 37 PID 2652 wrote to memory of 1552 2652 Run.exe 37 PID 2652 wrote to memory of 2116 2652 Run.exe 38 PID 2652 wrote to memory of 2116 2652 Run.exe 38 PID 2652 wrote to memory of 2116 2652 Run.exe 38 PID 2652 wrote to memory of 2116 2652 Run.exe 38 PID 2652 wrote to memory of 2116 2652 Run.exe 38 PID 2652 wrote to memory of 2116 2652 Run.exe 38 PID 2652 wrote to memory of 2116 2652 Run.exe 38 PID 2652 wrote to memory of 2084 2652 Run.exe 39 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Run.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Run.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Run.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" Run.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\7zS2202.tmp\Run.exe.\Run.exe2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\7zS2202.tmp\rssvnc.exerssvnc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\7zS2202.tmp\rssvnc.exerssvnc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\7zS2202.tmp\rssvnc.exerssvnc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644
-
-
C:\Users\Admin\AppData\Local\Temp\7zS2202.tmp\rssvnc.exerssvnc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612
-
-
C:\Users\Admin\AppData\Local\Temp\7zS2202.tmp\rssvnc.exerssvnc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740
-
-
C:\Users\Admin\AppData\Local\Temp\7zS2202.tmp\rssvnc.exerssvnc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\7zS2202.tmp\rssvnc.exerssvnc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\7zS2202.tmp\rssvnc.exerssvnc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116
-
-
C:\Users\Admin\AppData\Local\Temp\7zS2202.tmp\rssvnc.exerssvnc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084
-
-
C:\Users\Admin\AppData\Local\Temp\7zS2202.tmp\rssvnc.exerssvnc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560
-
-
C:\Users\Admin\AppData\Local\Temp\7zS2202.tmp\rssvnc.exerssvnc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5905bcafd0c52d766fe5f07d83b5a4416
SHA1cb8eb19195aec0fed9cbc7f1965953bb363bba23
SHA256db30315388ecb39492d09a0e2447a2dbccc902532f284f9a25f3c95e092af1b1
SHA5126f861d5e045ad192853468ccea0dfcf2292483a269776e22b38b333089a09a6ecf85843cc5aeff543c5d3acf318be32a05c1de533200a4e3b0f6690d079d2027
-
Filesize
569B
MD5d3eff0be4491f6328b3ce63638e7f8b9
SHA1ba1e42d54e47d3961f5dbc52a7a616a7d03e36af
SHA25639fa64b6ba5dc2054bc669dbd19057927fc7cd039d076ecc2487624484639ed7
SHA512f9e484faa4dd451ace067f5b36f1ae9376fae1e6220b744ea96c8799b56aa620a4ef054ba27adca3b3490ea855f2390fc771502d0ba468c129e74abe3a5de118
-
Filesize
23KB
MD5f2c4fc28372ca1c4fa4b527ef2b396d8
SHA16adde5d8869c505f04bc1b1a6650e3a8f9f18065
SHA256c94576cdcc4015ad0436add6970ba0313187c2c5a0ddb6ef18a73af68ae7e3c4
SHA5126ce1c3e11281764c77710e0533909d0860430194114f82bdc68ca474fa780f437579d21cc8863aedda6a24ea69622c6badc2d58ee244979ea4fa5706f070904e
-
Filesize
807B
MD5983d88150a2f22337facfdde79c34a34
SHA12fbf5d1c0b9f7a0ffead8a440d2b07c9efb8270a
SHA256d177fcf781f78f722b0f5f59056affa6f9db376e9fe22167fc41efeedacb70e9
SHA5127db2448c0bb0b931eca4de7de29f0894432597b2bdfc65409c345c8e9a158fa9951ff84ab574ec3712602d218591f50c0942da6f5dbf682081f9b3d8066e8781
-
Filesize
241KB
MD50f6c7e390b1b3ba06792585e96a0e81c
SHA1874cb4bba2cbfa263eba79d695bc2fc421562e3a
SHA25670cae2dc05434905dcec4995a16e504a8552bcdf836f3b0f47c201e7c6f2db2e
SHA5126767a1b7798ef13c8f41c6a4805dc950f53b0a73c321b3a3b59c38693232f660eafdc21b08c0ae472b17ee9639cc55d863592586f0a4deb51106b111ec3c1ad5
-
Filesize
2KB
MD59053991894eb4495eae052771e20b2b0
SHA1291fb1256d9df4767f1d209b1ef2f528b4ef98c4
SHA2563eaad270eae612eb953494af2e20e8531f22878a44cdbea4ee579ab1dc956863
SHA512653275e4dd860df1494f25a0c5fb37a2cb0637161172b838168fb5c249a5a3aa5ae925577a44d1650ea956022524b593fb17dd962c03280dac6cfd21ab3e207e
-
Filesize
460KB
MD59149fc4df0437b1b452f6e80d528195f
SHA1ead677fbd3f0ce27ad2b44ee945bda060ef6419f
SHA2564e2fbd480e19e7411684eb0fb82bf9f766602a5e9ba696c50c4d1471d9a1187e
SHA51224c7888510f2a1fe6905ca1bc71b81132dade8981d595c4e4e26a81f4a0858d776fd0d8b008e60e4e6343192bde53e59e5e832f351fa540fb87abaae83cb1704
