Analysis
-
max time kernel
131s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 03:50
Static task
static1
Behavioral task
behavioral1
Sample
938b38ef7f759bdccbbcae2a6740f28a_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
938b38ef7f759bdccbbcae2a6740f28a_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
938b38ef7f759bdccbbcae2a6740f28a_JaffaCakes118.exe
-
Size
57KB
-
MD5
938b38ef7f759bdccbbcae2a6740f28a
-
SHA1
5d93c1cab222bbc49a1901e04d6af48fa0bce8c6
-
SHA256
10886654aad09e418ee08c3383f36d7b3ddfeb0272c353a1523a25a0236ed452
-
SHA512
3d64e1e0e090ac41aff0c45d6506a4b9c4ece3c0e41995f3651b92a036f086374ed6d3063f0ea2cb03cdd440c368482c2db58c5346d793470d4d8581d9e2a3fd
-
SSDEEP
1536:BV2sXSAXRaaWipfv5ErqR4x0qZXPoGJco:BVTSAXjWipfv5hR4yqZw8
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2656-2-0x0000000010000000-0x0000000010021000-memory.dmp upx behavioral1/memory/2656-4-0x0000000010000000-0x0000000010021000-memory.dmp upx behavioral1/memory/2656-6-0x0000000010000000-0x0000000010021000-memory.dmp upx behavioral1/memory/2656-5-0x0000000010000000-0x0000000010021000-memory.dmp upx behavioral1/memory/2908-12-0x0000000010000000-0x0000000010021000-memory.dmp upx behavioral1/memory/2908-13-0x0000000010000000-0x0000000010021000-memory.dmp upx behavioral1/memory/2908-19-0x0000000010000000-0x0000000010021000-memory.dmp upx behavioral1/memory/2656-24-0x0000000010000000-0x0000000010021000-memory.dmp upx behavioral1/memory/2908-33-0x0000000010000000-0x0000000010021000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\ptpt3qvxx9uet\\Httdkgp.exe /Klaunchp" Httdkgp.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: Httdkgp.exe File opened (read-only) \??\p: Httdkgp.exe File opened (read-only) \??\r: Httdkgp.exe File opened (read-only) \??\v: Httdkgp.exe File opened (read-only) \??\a: Httdkgp.exe File opened (read-only) \??\g: Httdkgp.exe File opened (read-only) \??\h: Httdkgp.exe File opened (read-only) \??\s: Httdkgp.exe File opened (read-only) \??\t: Httdkgp.exe File opened (read-only) \??\u: Httdkgp.exe File opened (read-only) \??\e: Httdkgp.exe File opened (read-only) \??\i: Httdkgp.exe File opened (read-only) \??\k: Httdkgp.exe File opened (read-only) \??\q: Httdkgp.exe File opened (read-only) \??\y: Httdkgp.exe File opened (read-only) \??\z: Httdkgp.exe File opened (read-only) \??\b: Httdkgp.exe File opened (read-only) \??\l: Httdkgp.exe File opened (read-only) \??\m: Httdkgp.exe File opened (read-only) \??\x: Httdkgp.exe File opened (read-only) \??\j: Httdkgp.exe File opened (read-only) \??\o: Httdkgp.exe File opened (read-only) \??\w: Httdkgp.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 938b38ef7f759bdccbbcae2a6740f28a_JaffaCakes118.exe File opened for modification \??\PHYSICALDRIVE0 Httdkgp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Httdkgp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Httdkgp.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2908 Httdkgp.exe 2908 Httdkgp.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2656 938b38ef7f759bdccbbcae2a6740f28a_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2656 938b38ef7f759bdccbbcae2a6740f28a_JaffaCakes118.exe Token: SeDebugPrivilege 2656 938b38ef7f759bdccbbcae2a6740f28a_JaffaCakes118.exe Token: SeDebugPrivilege 2656 938b38ef7f759bdccbbcae2a6740f28a_JaffaCakes118.exe Token: SeDebugPrivilege 2908 Httdkgp.exe Token: SeDebugPrivilege 2908 Httdkgp.exe Token: SeDebugPrivilege 2908 Httdkgp.exe Token: SeDebugPrivilege 2908 Httdkgp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2656 938b38ef7f759bdccbbcae2a6740f28a_JaffaCakes118.exe 2908 Httdkgp.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2908 2656 938b38ef7f759bdccbbcae2a6740f28a_JaffaCakes118.exe 28 PID 2656 wrote to memory of 2908 2656 938b38ef7f759bdccbbcae2a6740f28a_JaffaCakes118.exe 28 PID 2656 wrote to memory of 2908 2656 938b38ef7f759bdccbbcae2a6740f28a_JaffaCakes118.exe 28 PID 2656 wrote to memory of 2908 2656 938b38ef7f759bdccbbcae2a6740f28a_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\938b38ef7f759bdccbbcae2a6740f28a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\938b38ef7f759bdccbbcae2a6740f28a_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\ptpt3qvxx9uet\Httdkgp.exelaunch2⤵
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2908
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1