Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 01:46
Behavioral task
behavioral1
Sample
9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe
-
Size
496KB
-
MD5
9ca01142589187736ef32d73d28973e0
-
SHA1
307faa96f8186c56e8f670860190e08129d43b5b
-
SHA256
ac9fec69ac45137f4fc44b568af643e9dc34724e8a110d1f028650fe8e5914bb
-
SHA512
9ad4906cd5ac83dbcbbe2bf875eb196ddc82d423ddc58c92feb44039d1f0620bfc26ba330eb4afd31d3a14d8094fb21ba30beb6ceba8f5980cf82e59252332de
-
SSDEEP
12288:bA+j5BXJPJGMw75VGB7SLCY1J1kGl8V3eZsemDhkJp:0qHJhGrVG96r1/kGlVZshDhwp
Malware Config
Signatures
-
Kutaki Executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tosadlch.exe family_kutaki -
Drops startup file 2 IoCs
Processes:
9ca01142589187736ef32d73d28973e0_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tosadlch.exe 9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tosadlch.exe 9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
tosadlch.exepid process 2588 tosadlch.exe -
Loads dropped DLL 2 IoCs
Processes:
9ca01142589187736ef32d73d28973e0_JaffaCakes118.exepid process 2848 9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe 2848 9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
tosadlch.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum tosadlch.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 tosadlch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
tosadlch.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main tosadlch.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
9ca01142589187736ef32d73d28973e0_JaffaCakes118.exetosadlch.exepid process 2848 9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe 2848 9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe 2848 9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe 2588 tosadlch.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9ca01142589187736ef32d73d28973e0_JaffaCakes118.exedescription pid process target process PID 2848 wrote to memory of 2584 2848 9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe cmd.exe PID 2848 wrote to memory of 2584 2848 9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe cmd.exe PID 2848 wrote to memory of 2584 2848 9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe cmd.exe PID 2848 wrote to memory of 2584 2848 9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe cmd.exe PID 2848 wrote to memory of 2588 2848 9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe tosadlch.exe PID 2848 wrote to memory of 2588 2848 9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe tosadlch.exe PID 2848 wrote to memory of 2588 2848 9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe tosadlch.exe PID 2848 wrote to memory of 2588 2848 9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe tosadlch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9ca01142589187736ef32d73d28973e0_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tosadlch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tosadlch.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tosadlch.exeFilesize
496KB
MD59ca01142589187736ef32d73d28973e0
SHA1307faa96f8186c56e8f670860190e08129d43b5b
SHA256ac9fec69ac45137f4fc44b568af643e9dc34724e8a110d1f028650fe8e5914bb
SHA5129ad4906cd5ac83dbcbbe2bf875eb196ddc82d423ddc58c92feb44039d1f0620bfc26ba330eb4afd31d3a14d8094fb21ba30beb6ceba8f5980cf82e59252332de
-
memory/2588-13-0x0000000004880000-0x00000000058E2000-memory.dmpFilesize
16.4MB