Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 21:52
Static task
static1
Behavioral task
behavioral1
Sample
820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
820f6dd9860bebd89fd0374f70e436be
-
SHA1
1b75b8179f090063902b13281543c1367fef4081
-
SHA256
672316bdeef6fa3c30828452e67394ce0b6e160e51e70a1c97f40db377c8aac0
-
SHA512
f4c5e07ae0e027df7f6bd16a9d68768bfd45515a91cbe0d0ca5eb81435bd25205a592ef3984790223f8ce52f0985f040fde216d7e315201bfa7743d7de023388
-
SSDEEP
6144:rgLcb/d7rFFjZsvsZHV/jmVx4Z9zvmQVOelREPXvg+/oFyLaiQOKDaM:Uadf2UZHV/jmavBXsIy+dOW
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cashout.exe.lnk 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsv.exe" 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe -
Processes:
820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exedescription pid process target process PID 3608 set thread context of 4040 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe -
Drops file in Program Files directory 2 IoCs
Processes:
820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\DHCP Service\dhcpsv.exe 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\DHCP Service\dhcpsv.exe 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\assembly 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2576 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\grace\cashout.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exepid process 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 4040 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 4040 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 4040 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exepid process 4040 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe Token: SeDebugPrivilege 4040 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 3608 wrote to memory of 2380 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe cmd.exe PID 3608 wrote to memory of 2380 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe cmd.exe PID 3608 wrote to memory of 2380 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe cmd.exe PID 2380 wrote to memory of 2952 2380 cmd.exe reg.exe PID 2380 wrote to memory of 2952 2380 cmd.exe reg.exe PID 2380 wrote to memory of 2952 2380 cmd.exe reg.exe PID 3608 wrote to memory of 4040 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe PID 3608 wrote to memory of 4040 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe PID 3608 wrote to memory of 4040 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe PID 3608 wrote to memory of 4040 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe PID 3608 wrote to memory of 4040 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe PID 3608 wrote to memory of 4040 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe PID 3608 wrote to memory of 4040 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe PID 3608 wrote to memory of 4040 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe PID 3608 wrote to memory of 4856 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe cmd.exe PID 3608 wrote to memory of 4856 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe cmd.exe PID 3608 wrote to memory of 4856 3608 820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe cmd.exe PID 4856 wrote to memory of 2576 4856 cmd.exe timeout.exe PID 4856 wrote to memory of 2576 4856 cmd.exe timeout.exe PID 4856 wrote to memory of 2576 4856 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\grace\cashout.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\820f6dd9860bebd89fd0374f70e436be_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\grace\cashout.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\grace\cashout.exeFilesize
1.4MB
MD5820f6dd9860bebd89fd0374f70e436be
SHA11b75b8179f090063902b13281543c1367fef4081
SHA256672316bdeef6fa3c30828452e67394ce0b6e160e51e70a1c97f40db377c8aac0
SHA512f4c5e07ae0e027df7f6bd16a9d68768bfd45515a91cbe0d0ca5eb81435bd25205a592ef3984790223f8ce52f0985f040fde216d7e315201bfa7743d7de023388
-
C:\Users\Admin\AppData\Roaming\grace\cashout.exe.batFilesize
202B
MD5d592662cb38e0e99d15afe9115097779
SHA18544f5f0854f4c0eafcf4c1396b13f7f81682b9f
SHA2568960caea9115579f3b9706cfe72b898622348fc95490943424e9040dc98412e8
SHA51267809225b002a68cc0514f6fc17b1bccdf1fccc213b9c89f6c8cb9793522f489a9c7be2c322b676541ccda76b8811ef078cdc7b33e0b62ea47430f0c8a2f16c7
-
memory/3608-0-0x0000000075092000-0x0000000075093000-memory.dmpFilesize
4KB
-
memory/3608-1-0x0000000075090000-0x0000000075641000-memory.dmpFilesize
5.7MB
-
memory/3608-2-0x0000000075090000-0x0000000075641000-memory.dmpFilesize
5.7MB
-
memory/3608-23-0x0000000075090000-0x0000000075641000-memory.dmpFilesize
5.7MB
-
memory/4040-13-0x0000000075090000-0x0000000075641000-memory.dmpFilesize
5.7MB
-
memory/4040-14-0x0000000075090000-0x0000000075641000-memory.dmpFilesize
5.7MB
-
memory/4040-17-0x0000000075090000-0x0000000075641000-memory.dmpFilesize
5.7MB
-
memory/4040-21-0x0000000075090000-0x0000000075641000-memory.dmpFilesize
5.7MB
-
memory/4040-24-0x0000000075090000-0x0000000075641000-memory.dmpFilesize
5.7MB
-
memory/4040-25-0x0000000075090000-0x0000000075641000-memory.dmpFilesize
5.7MB