Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 12:43
Static task
static1
Behavioral task
behavioral1
Sample
9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe
-
Size
4.3MB
-
MD5
9e3856d35e9b55d33c1c919787907044
-
SHA1
4bcb49aceccd54aebd5a723a2cc214ad4927b282
-
SHA256
cf85df4419807f0d65e4ea91ee1c0ada18c945750533a480b1bc57c0669ddcf1
-
SHA512
741d24e6b32852715536df9913dfba99f88656a1374e16201a4e7c45203b75a5d2a4e5ff7d13d8cb26b0ddee197675eb55b3334648923df83bdc18bb473e452a
-
SSDEEP
98304:aqSh5zRZwYeMMIV3PsU6Z8y6TaOphYLYSHinQpUt/YV5DyzFf:ajHYOpCm/s9y
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Чистилка.exepid process 1680 Чистилка.exe -
Loads dropped DLL 8 IoCs
Processes:
9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exepid process 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exedescription ioc process File opened for modification \??\PhysicalDrive0 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exedescription ioc process File created C:\Windows\fonts\pns.ttf 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exeЧистилка.exedescription pid process Token: SeTakeOwnershipPrivilege 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe Token: SeRestorePrivilege 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe Token: SeDebugPrivilege 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1680 Чистилка.exe Token: SeRestorePrivilege 1680 Чистилка.exe Token: SeDebugPrivilege 1680 Чистилка.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exepid process 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exepid process 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exepid process 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exedescription pid process target process PID 1148 wrote to memory of 1680 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe Чистилка.exe PID 1148 wrote to memory of 1680 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe Чистилка.exe PID 1148 wrote to memory of 1680 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe Чистилка.exe PID 1148 wrote to memory of 1680 1148 9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe Чистилка.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\ProgramData\Чистилка\Чистилка.exeC:\ProgramData\Чистилка\Чистилка.exe /srvcreate2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a0245f7e9c86725051025380bce02890
SHA1367f0e48444ffac11bbd714f548a2c18463b2cb7
SHA2562a2724bbcccda9f1a3eeff092405812cb33c13edd2b79285a33742fc039747a6
SHA5124928be758dab113ea226444b93c08d808c033ea75e11af6234ff68eb47ab52898dec649746e15870cf4e9134b6008432e56a8bb9a959094f2f9a9126ae2b3b3f
-
Filesize
1KB
MD558bcddcc3eac8d42898eb18aa2e06633
SHA147d4029d6763b375b98618917cd4122f9e8d6491
SHA25651a0ccabe44d754c10c390128a70f824d3da524bfc7e4bf42014a64ae81bb857
SHA512202d577d42536dc1df783c3fe1199a3df621f517914baac7a211b8496b1bd2d1eeb09cfbdd986c3b89d3157270f1df77d6b2004d8d12ba57a2b5395a2d6fdf35
-
Filesize
4.3MB
MD59e3856d35e9b55d33c1c919787907044
SHA14bcb49aceccd54aebd5a723a2cc214ad4927b282
SHA256cf85df4419807f0d65e4ea91ee1c0ada18c945750533a480b1bc57c0669ddcf1
SHA512741d24e6b32852715536df9913dfba99f88656a1374e16201a4e7c45203b75a5d2a4e5ff7d13d8cb26b0ddee197675eb55b3334648923df83bdc18bb473e452a