Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 17:57
Behavioral task
behavioral1
Sample
8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe
-
Size
203KB
-
MD5
8b46dbe0ddebd8aebd67fd1707cebf32
-
SHA1
aa179b9584510b6484542fb5efd37d5256830b73
-
SHA256
a97956dc4276f43c5648c1b5efd30fe2f12fc06ee2a384f53ef12f0fa574b999
-
SHA512
d395e36771d94f7fcd6db7816b9ff5f67f87dbd0a86c2e38764850c34cb47f0549c1939305db43f5d4e74fd135af98db11da7c74d6957f9f9d72953ec17f35d9
-
SSDEEP
6144:MLV6Bta6dtJmakIM5xPjoWNdOPgZpqS0F:MLV6BtpmkFEdOPQpm
Malware Config
Signatures
-
Processes:
8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exepid process 2924 8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe 2924 8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exepid process 2924 8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2924 8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe Token: SeDebugPrivilege 2924 8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exedescription pid process target process PID 2924 wrote to memory of 3024 2924 8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe schtasks.exe PID 2924 wrote to memory of 3024 2924 8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe schtasks.exe PID 2924 wrote to memory of 3024 2924 8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe schtasks.exe PID 2924 wrote to memory of 3024 2924 8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8b46dbe0ddebd8aebd67fd1707cebf32_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp22FB.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp22FB.tmpFilesize
1KB
MD5e3cbf2189369486b4862d7c21001a20e
SHA1a5f1f4706d844da8228bca741c105060b357f1ac
SHA256d6b8c4719ee964917995e98984f9735b3c96edc7e12cbab6a78bc5374a6b7912
SHA512272be4ef5b65c183d134c5970192922aaa805ccab0402a70a5a895a6e6aadd550fc40e64f16a6ad78d8b3985b4b084436f8a8641d58c9d3f9f131aed3c98df8a
-
memory/2924-0-0x0000000074171000-0x0000000074172000-memory.dmpFilesize
4KB
-
memory/2924-1-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/2924-2-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/2924-7-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB