Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 13:12
Static task
static1
Behavioral task
behavioral1
Sample
84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe
-
Size
51KB
-
MD5
84430187a0f4c30d75529551c26d3e0a
-
SHA1
ee84b7dd72e4b8a72f6c0134e1bdbede10929c35
-
SHA256
f764c732eb8f6ea2df333c6e85f7065b5c3bd7a198a7f2878985377525e5f993
-
SHA512
5f9f5354a993f497b100807d9c2454e9210ba9d032e2f960fd4759db65bd73e47a5a7720cb6b5ff471e61875c10c423c7f9352b0191e136435d0b5a045baa47d
-
SSDEEP
768:SnrFR/LMpDcbhmtskFxDtv514fIL/WJBiFJ5620Y4xRgbkpg86:e/oVmkFxB51OILWJBe56Pc
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2664 netsh.exe -
Drops startup file 2 IoCs
Processes:
dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\168750860885420104693c9da8dd22c9.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\168750860885420104693c9da8dd22c9.exe dllhost.exe -
Executes dropped EXE 1 IoCs
Processes:
dllhost.exepid process 2368 dllhost.exe -
Loads dropped DLL 1 IoCs
Processes:
84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exepid process 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\168750860885420104693c9da8dd22c9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\168750860885420104693c9da8dd22c9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exedllhost.exepid process 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exedllhost.exedescription pid process Token: SeDebugPrivilege 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe Token: SeDebugPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe Token: 33 2368 dllhost.exe Token: SeIncBasePriorityPrivilege 2368 dllhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exedllhost.exedescription pid process target process PID 836 wrote to memory of 2368 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe dllhost.exe PID 836 wrote to memory of 2368 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe dllhost.exe PID 836 wrote to memory of 2368 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe dllhost.exe PID 836 wrote to memory of 2368 836 84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe dllhost.exe PID 2368 wrote to memory of 2664 2368 dllhost.exe netsh.exe PID 2368 wrote to memory of 2664 2368 dllhost.exe netsh.exe PID 2368 wrote to memory of 2664 2368 dllhost.exe netsh.exe PID 2368 wrote to memory of 2664 2368 dllhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\84430187a0f4c30d75529551c26d3e0a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\dllhost.exe" "dllhost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2664
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD584430187a0f4c30d75529551c26d3e0a
SHA1ee84b7dd72e4b8a72f6c0134e1bdbede10929c35
SHA256f764c732eb8f6ea2df333c6e85f7065b5c3bd7a198a7f2878985377525e5f993
SHA5125f9f5354a993f497b100807d9c2454e9210ba9d032e2f960fd4759db65bd73e47a5a7720cb6b5ff471e61875c10c423c7f9352b0191e136435d0b5a045baa47d