Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 12:24
Behavioral task
behavioral1
Sample
7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe
-
Size
16KB
-
MD5
7925400a7db00d3b6a11c49d522255f5
-
SHA1
d819e355aca3db47d1affbba72081ec9d6c2ce5c
-
SHA256
246e374106f294a24b21de1875b09d9ac778aa1dd744bb3b6795078156f5a18a
-
SHA512
de676ea34696f9bd723276f5d779cd700abd626283e7cce86d137aa5fe91bf0ce3311bea10866eb45e25dd6dc7072a0fd39abbae94fcfb00c1d184b150b6359a
-
SSDEEP
384:umDvAPDVH19GTXjdh9EuujYcV6AUwJFZb:uqyRV9AhGfYcV6Dw9b
Malware Config
Extracted
loaderbot
http://freebi8o.beget.tech/cmd.php
Signatures
-
LoaderBot executable 1 IoCs
resource yara_rule behavioral2/memory/2168-1-0x0000000000B50000-0x0000000000B5A000-memory.dmp loaderbot -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url 7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe" 7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe" 7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1292 schtasks.exe 1044 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2168 7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe 1416 7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2168 7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2168 7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe Token: SeDebugPrivilege 1416 7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2168 wrote to memory of 4872 2168 7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe 83 PID 2168 wrote to memory of 4872 2168 7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe 83 PID 2168 wrote to memory of 4872 2168 7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe 83 PID 4872 wrote to memory of 1292 4872 cmd.exe 85 PID 4872 wrote to memory of 1292 4872 cmd.exe 85 PID 4872 wrote to memory of 1292 4872 cmd.exe 85 PID 1416 wrote to memory of 1404 1416 7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe 90 PID 1416 wrote to memory of 1404 1416 7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe 90 PID 1416 wrote to memory of 1404 1416 7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe 90 PID 1404 wrote to memory of 1044 1404 cmd.exe 92 PID 1404 wrote to memory of 1044 1404 cmd.exe 92 PID 1404 wrote to memory of 1044 1404 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f3⤵
- Creates scheduled task(s)
PID:1292
-
-
-
C:\Users\Admin\AppData\Roaming\Windows\7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exeC:\Users\Admin\AppData\Roaming\Windows\7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\7925400a7db00d3b6a11c49d522255f5_JaffaCakes118.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f3⤵
- Creates scheduled task(s)
PID:1044
-
-