Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 17:26
Behavioral task
behavioral1
Sample
8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe
-
Size
76KB
-
MD5
8eda529979d30636fb0fbb45c2da7977
-
SHA1
c8894ae2dc2d6f0225c72a2b19fb283a57f077fe
-
SHA256
ad9ad8c5e78a1060cddb589a027ed9ac6f8ef8fbaa88862e9269690a4fe49283
-
SHA512
537a16d8dc253800d5225ee1f41135fe619df6c26491fe203632d385751f57a2aa8da5cd9bd4c6582b2f579751ce245aeea367fe106a90058a332d768982d44c
-
SSDEEP
768:/7XINhXznVJ8CC1rBXdo0zekXUd3CdPJxB7mNmDZkUKMKZQbFTiKKAZTX:ChT8C+fuioHq1KEFoAF
Malware Config
Signatures
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
DiamondFox stealer 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\svchost.exe diamondfox_stealer -
Processes:
8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" svchost.exe -
Drops file in Drivers directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts svchost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2664 cmd.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2868 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exepid process 1720 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe 1720 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe -
Processes:
8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" svchost.exe -
Processes:
8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exesvchost.exepid process 1720 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe 2868 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exedescription pid process target process PID 1720 wrote to memory of 2868 1720 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe svchost.exe PID 1720 wrote to memory of 2868 1720 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe svchost.exe PID 1720 wrote to memory of 2868 1720 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe svchost.exe PID 1720 wrote to memory of 2868 1720 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe svchost.exe PID 1720 wrote to memory of 2664 1720 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2664 1720 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2664 1720 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe cmd.exe PID 1720 wrote to memory of 2664 1720 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8eda529979d30636fb0fbb45c2da7977_JaffaCakes118.exe"1⤵
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1720 -
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- UAC bypass
- Windows security bypass
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2868
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Melt.bat2⤵
- Deletes itself
PID:2664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
161B
MD52b4ac925d0131af926415461d760ac8e
SHA1edd325b6ac9903f1195b19f1b028a5067193e1cc
SHA2566ae190034e591dae070cf5550514fae731b01ec06d7c379827f9633f85320732
SHA512f669447506687bd5a0a76fbb76f6124f358b1866085c5ac16cfba95199a3c8becbc268a6360af0a04a3fdde0e09ac204d2b7b6a1e1034070360076617aab574d
-
Filesize
76KB
MD58eda529979d30636fb0fbb45c2da7977
SHA1c8894ae2dc2d6f0225c72a2b19fb283a57f077fe
SHA256ad9ad8c5e78a1060cddb589a027ed9ac6f8ef8fbaa88862e9269690a4fe49283
SHA512537a16d8dc253800d5225ee1f41135fe619df6c26491fe203632d385751f57a2aa8da5cd9bd4c6582b2f579751ce245aeea367fe106a90058a332d768982d44c