Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 10:53
Static task
static1
Behavioral task
behavioral1
Sample
807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe
-
Size
923KB
-
MD5
807fdc437e03d6c168792b8773e4f73c
-
SHA1
2b593b3505b09aa2a322a8aab3c20161b461dd23
-
SHA256
3401c787e69edb72ca1216677ec2e0adb3c51db92c03dc88fa4f11e046e727d0
-
SHA512
fd4ab96c99c80d8ba23a6dce61471aa2544c2778236bca5f2010d196509e53ca8288cc4f89d79d5b54d90e8da6ab801a0b62e50ca859ea826a4ef17aaeae04d8
-
SSDEEP
12288:SdjX6gJi4/KolPowKqRwzR+3uFnBHR1b536JEDwJ7BYfQphPqfEosRZihYFhyQB6:hQQQwdt1NfZTQ+iilL848
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2524 netsh.exe -
Executes dropped EXE 3 IoCs
Processes:
Refract's Crypter.exeserver.exeRefract's Crypter.exepid process 2456 Refract's Crypter.exe 2656 server.exe 2756 Refract's Crypter.exe -
Loads dropped DLL 5 IoCs
Processes:
807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exeserver.exepid process 1796 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe 1796 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe 1796 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe 1796 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe 2656 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\279f6960ed84a752570aca7fb2dc1552 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exeserver.exepid process 1796 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe 2656 server.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exeserver.exedescription pid process Token: SeDebugPrivilege 1796 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe Token: SeDebugPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe Token: 33 2656 server.exe Token: SeIncBasePriorityPrivilege 2656 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exeserver.exedescription pid process target process PID 1796 wrote to memory of 2456 1796 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe Refract's Crypter.exe PID 1796 wrote to memory of 2456 1796 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe Refract's Crypter.exe PID 1796 wrote to memory of 2456 1796 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe Refract's Crypter.exe PID 1796 wrote to memory of 2456 1796 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe Refract's Crypter.exe PID 1796 wrote to memory of 2656 1796 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe server.exe PID 1796 wrote to memory of 2656 1796 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe server.exe PID 1796 wrote to memory of 2656 1796 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe server.exe PID 1796 wrote to memory of 2656 1796 807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe server.exe PID 2656 wrote to memory of 2756 2656 server.exe Refract's Crypter.exe PID 2656 wrote to memory of 2756 2656 server.exe Refract's Crypter.exe PID 2656 wrote to memory of 2756 2656 server.exe Refract's Crypter.exe PID 2656 wrote to memory of 2756 2656 server.exe Refract's Crypter.exe PID 2656 wrote to memory of 2524 2656 server.exe netsh.exe PID 2656 wrote to memory of 2524 2656 server.exe netsh.exe PID 2656 wrote to memory of 2524 2656 server.exe netsh.exe PID 2656 wrote to memory of 2524 2656 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\807fdc437e03d6c168792b8773e4f73c_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Roaming\Refract's Crypter.exe"C:\Users\Admin\AppData\Roaming\Refract's Crypter.exe"2⤵
- Executes dropped EXE
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Roaming\Refract's Crypter.exe"C:\Users\Admin\AppData\Roaming\Refract's Crypter.exe"3⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2524
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5306e380eb59499c762a3afb1ef954797
SHA133d65f2e7df181020f10acd0eac15dd9e1e4f81d
SHA256062f65193b65e2cc8918222ee240655709c80ace141912ad1a52c9615b63f040
SHA5126b8dcc664a61a5fb6e7a75a6a10f91129b79488d8ccd77d00680b283aa734da8b596a23f8ffa68dc8f5eedf23e4237203db6ac968802e5c162b67e5eaaeb54f4
-
Filesize
923KB
MD5807fdc437e03d6c168792b8773e4f73c
SHA12b593b3505b09aa2a322a8aab3c20161b461dd23
SHA2563401c787e69edb72ca1216677ec2e0adb3c51db92c03dc88fa4f11e046e727d0
SHA512fd4ab96c99c80d8ba23a6dce61471aa2544c2778236bca5f2010d196509e53ca8288cc4f89d79d5b54d90e8da6ab801a0b62e50ca859ea826a4ef17aaeae04d8
-
Filesize
188KB
MD523c6fa4e6b94422381302678a73d5785
SHA17b256feacff6e7fcf84e6b6a17b41b708dd3dafe
SHA256b0b8d725b442e2538fb40fd84cc3e57c27d6d1334160ac2821796d85ec3cb65b
SHA51290661f2cf725f69b7ef06fb22175be80bd71a607e115181e3ba9042adbf4809fd6e424fcbc304c5af5b7cd5d18d06deec2dd98f0ee64c15be0894f936f1d5330