Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/05/2024, 18:29
Static task
static1
Behavioral task
behavioral1
Sample
7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe
-
Size
484KB
-
MD5
7a17dfe6888695511cecb4fd37c297b2
-
SHA1
29eaef941d3dff65d2224d24f6dc99690ddffd5f
-
SHA256
cce9695bdbf64377264d6afee73cb26e178ee87dfc42f5543ad8b4f5a5587fd8
-
SHA512
5e1914db199a532c18ee30908011ac0aef7a1154806a87948a05d44c52edfa228623a5cd326a18fcf828ecc8bde8f00019b6a182960fabf394dda37a839a196b
-
SSDEEP
6144:WO0kVCPhlSXHWu/UqaJiXFBGBXrbD0LArl6KDOPVjoFX/iQZOP/OvXEx8a0qbwjv:XN6Ail6/VjoFX6eyx8a+jv
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2520 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe 1228 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe -
Loads dropped DLL 2 IoCs
pid Process 2188 7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe 2188 7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTcbPrivilege 1228 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2188 7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe 2188 7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe 2520 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe 2520 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe 1228 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe 1228 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2520 2188 7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe 28 PID 2188 wrote to memory of 2520 2188 7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe 28 PID 2188 wrote to memory of 2520 2188 7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe 28 PID 2188 wrote to memory of 2520 2188 7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe 28 PID 2520 wrote to memory of 1968 2520 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe 29 PID 2520 wrote to memory of 1968 2520 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe 29 PID 2520 wrote to memory of 1968 2520 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe 29 PID 2520 wrote to memory of 1968 2520 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe 29 PID 2520 wrote to memory of 1968 2520 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe 29 PID 2520 wrote to memory of 1968 2520 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe 29 PID 2736 wrote to memory of 1228 2736 taskeng.exe 33 PID 2736 wrote to memory of 1228 2736 taskeng.exe 33 PID 2736 wrote to memory of 1228 2736 taskeng.exe 33 PID 2736 wrote to memory of 1228 2736 taskeng.exe 33 PID 1228 wrote to memory of 2748 1228 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe 34 PID 1228 wrote to memory of 2748 1228 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe 34 PID 1228 wrote to memory of 2748 1228 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe 34 PID 1228 wrote to memory of 2748 1228 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe 34 PID 1228 wrote to memory of 2748 1228 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe 34 PID 1228 wrote to memory of 2748 1228 9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7a17dfe6888695511cecb4fd37c297b2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exeC:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1968
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D159A3EA-59D0-467F-960E-C0AD28456C16} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exeC:\Users\Admin\AppData\Roaming\extvisual\9a19dfe8888897711cecb4fd39c299b2_LaffaCameu118.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD57a17dfe6888695511cecb4fd37c297b2
SHA129eaef941d3dff65d2224d24f6dc99690ddffd5f
SHA256cce9695bdbf64377264d6afee73cb26e178ee87dfc42f5543ad8b4f5a5587fd8
SHA5125e1914db199a532c18ee30908011ac0aef7a1154806a87948a05d44c52edfa228623a5cd326a18fcf828ecc8bde8f00019b6a182960fabf394dda37a839a196b