Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 22:15
Behavioral task
behavioral1
Sample
7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe
-
Size
16KB
-
MD5
7ab8de476c99b6ac150a7db8401ba4cf
-
SHA1
e11ba5b1a2337f680e2090af68644f5fed808199
-
SHA256
0a0c62998f76d1c6225f6d992a4897197cfbed34b6f6884658ab5feb3c57cade
-
SHA512
ed05496e539a40e9cecb85da12911a638cd347772ec5dc0b9151b7a3d670e2566e127b9a8913e9c5814f5171cbf6049c4b3e8b804c0842dde92ae28b994120c2
-
SSDEEP
384:qKxvDuPNItH19GTXjdhswuujYcV6AUwJFZb:q44atV9AhBfYcV6Dw9b
Score
10/10
Malware Config
Signatures
-
LoaderBot executable 1 IoCs
resource yara_rule behavioral1/memory/1676-1-0x0000000001380000-0x000000000138A000-memory.dmp loaderbot -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url 7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe" 7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2016 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1676 7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1676 7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1676 7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1676 wrote to memory of 1548 1676 7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe 28 PID 1676 wrote to memory of 1548 1676 7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe 28 PID 1676 wrote to memory of 1548 1676 7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe 28 PID 1676 wrote to memory of 1548 1676 7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe 28 PID 1548 wrote to memory of 2016 1548 cmd.exe 30 PID 1548 wrote to memory of 2016 1548 cmd.exe 30 PID 1548 wrote to memory of 2016 1548 cmd.exe 30 PID 1548 wrote to memory of 2016 1548 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\7ab8de476c99b6ac150a7db8401ba4cf_JaffaCakes118.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f3⤵
- Creates scheduled task(s)
PID:2016
-
-