Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 23:06
Behavioral task
behavioral1
Sample
8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe
Resource
win7-20240215-en
windows7-x64
6 signatures
150 seconds
General
-
Target
8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
8fc013bb379e00fb614142ceaa52fffe
-
SHA1
b4ac24b4e934a4339c2804dce93265ae459a4762
-
SHA256
613496e0190d0df061bb4bb9519721dba25cc0daed1bd5b535f7e9a9bc33d836
-
SHA512
ee79514d095e62046c0ad071e0521e8efa31cc1da095c202b0c74018270bdeefce313c064d08562e16f9417548bf0f22c485ebe9a002ed13414e429984d78e3d
-
SSDEEP
24576:rfEY7K9Flox2jGbgqZFZdoJb5AtatqUDzjveEolEVAOfox:rTAW2MBZWPHRzjvCpOfC
Malware Config
Signatures
-
BitRAT payload 5 IoCs
resource yara_rule behavioral1/memory/1256-1-0x0000000000400000-0x0000000000826000-memory.dmp family_bitrat behavioral1/memory/1256-3-0x0000000000400000-0x0000000000826000-memory.dmp family_bitrat behavioral1/memory/1256-7-0x0000000000400000-0x0000000000826000-memory.dmp family_bitrat behavioral1/memory/1256-11-0x0000000000400000-0x0000000000826000-memory.dmp family_bitrat behavioral1/memory/1256-14-0x0000000000400000-0x0000000000826000-memory.dmp family_bitrat -
resource yara_rule behavioral1/memory/1256-0-0x0000000000400000-0x0000000000826000-memory.dmp upx behavioral1/memory/1256-1-0x0000000000400000-0x0000000000826000-memory.dmp upx behavioral1/memory/1256-3-0x0000000000400000-0x0000000000826000-memory.dmp upx behavioral1/memory/1256-7-0x0000000000400000-0x0000000000826000-memory.dmp upx behavioral1/memory/1256-11-0x0000000000400000-0x0000000000826000-memory.dmp upx behavioral1/memory/1256-14-0x0000000000400000-0x0000000000826000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1256 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe 1256 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe 1256 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe 1256 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1256 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe Token: SeShutdownPrivilege 1256 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1256 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe 1256 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1256