Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 03:37
Behavioral task
behavioral1
Sample
99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe
-
Size
301KB
-
MD5
99e306b9f5101fb891df31047c3b0443
-
SHA1
dbc8befc30a1a9d6cf1ebd8402a0cbd8379a91da
-
SHA256
73673bac7ec4f39ff6bf55c74467fddb1876d028ca28bfcf10e7aab3a02d2d64
-
SHA512
69ddaf491ec373de018146906c8c555bff7e8746cd782dffa632dd0190fdc5aa76994507ec9fb312b1855c3398e70dda67fc6abf2a054819a4c5aeb3188579c4
-
SSDEEP
6144:6LV6Bta6dtJmakIM5Z6EvN65yGtMMnEcXs7hmc:6LV6BtpmkMMEcc7h7
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Subsystem = "C:\\Program Files (x86)\\DDP Subsystem\\ddpss.exe" 99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe -
Processes:
99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe -
Drops file in Program Files directory 2 IoCs
Processes:
99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\DDP Subsystem\ddpss.exe 99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\DDP Subsystem\ddpss.exe 99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1932 schtasks.exe 2612 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exepid process 2484 99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe 2484 99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exepid process 2484 99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2484 99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exedescription pid process target process PID 2484 wrote to memory of 1932 2484 99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe schtasks.exe PID 2484 wrote to memory of 1932 2484 99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe schtasks.exe PID 2484 wrote to memory of 1932 2484 99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe schtasks.exe PID 2484 wrote to memory of 1932 2484 99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe schtasks.exe PID 2484 wrote to memory of 2612 2484 99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe schtasks.exe PID 2484 wrote to memory of 2612 2484 99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe schtasks.exe PID 2484 wrote to memory of 2612 2484 99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe schtasks.exe PID 2484 wrote to memory of 2612 2484 99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\99e306b9f5101fb891df31047c3b0443_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1BBB.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1C58.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1BBB.tmpFilesize
1KB
MD5517275cd93d62e0dfd66cfa0f1cdb8f9
SHA1eb0448980567f775dc4a6c9f97770f848426869c
SHA256330396b2ecc0ccfc53fc20402f58d6e4871186fbe5392cc48999c5d32b7e7cc8
SHA5124b302cb0a7a8d9ddb5ba0eace7690f4530de52954531a71bcc7bfdacdb65cf164a19fef73fb41acdc8ce96c65d58206c52408151d975285827abb3904e2b1041
-
C:\Users\Admin\AppData\Local\Temp\tmp1C58.tmpFilesize
1KB
MD58e2d5fba24ae8a54087d8e6cadc188c1
SHA1548555025543b4773b8f36301f5fa5003e1c85dc
SHA256f8a3739cca23897792b42a11a21adcce745201fa19f8d84ec66a6e0c5e519759
SHA5129246583d7b08152cd73dc40254013e1ae4b8c93603dbb1f4e6b82624e14b134c59de6c8039b588f14075602768a388121e985f886322ae5fb9ec2eee94d4ea3d
-
memory/2484-0-0x0000000074AA1000-0x0000000074AA2000-memory.dmpFilesize
4KB
-
memory/2484-1-0x0000000074AA0000-0x000000007504B000-memory.dmpFilesize
5.7MB
-
memory/2484-2-0x0000000074AA0000-0x000000007504B000-memory.dmpFilesize
5.7MB
-
memory/2484-10-0x0000000074AA0000-0x000000007504B000-memory.dmpFilesize
5.7MB