Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 23:48
Static task
static1
Behavioral task
behavioral1
Sample
a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe
-
Size
455KB
-
MD5
a2ff9b452041a6ff6097db779da26d70
-
SHA1
d9fb90605868c19cdc91c556fb9abfcd09fcdff5
-
SHA256
c4d9db58c442972cbcb09632bd06b477c6a33f3827a00ac0ec2baeb6a0e6e9cc
-
SHA512
2c2012fb5821a26d3aa4f5bb645d087978b846ddecd87cc5c4ece039dbac011f44bcf263fbfc383f5546d906391c9c5d5af7e81d7aa92427832de107505c3867
-
SSDEEP
12288:bRVbfvJSlmOPufGjKH2KcDx/2aTxryFM0v+YXO:bfNonjKH2KcF/RM2
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2804 set thread context of 2520 2804 installutil.exe 32 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\debug\WIA\UwAqxT.exe installutil.exe File opened for modification C:\Windows\debug\WIA\UwAqxT.exe installutil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2496 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2804 installutil.exe 2804 installutil.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2520 installutil.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2804 installutil.exe Token: SeDebugPrivilege 2520 installutil.exe Token: 33 2520 installutil.exe Token: SeIncBasePriorityPrivilege 2520 installutil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2520 installutil.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1932 wrote to memory of 2804 1932 a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe 28 PID 1932 wrote to memory of 2804 1932 a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe 28 PID 1932 wrote to memory of 2804 1932 a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe 28 PID 1932 wrote to memory of 2804 1932 a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe 28 PID 1932 wrote to memory of 2804 1932 a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe 28 PID 1932 wrote to memory of 2804 1932 a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe 28 PID 1932 wrote to memory of 2804 1932 a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe 28 PID 2804 wrote to memory of 2496 2804 installutil.exe 30 PID 2804 wrote to memory of 2496 2804 installutil.exe 30 PID 2804 wrote to memory of 2496 2804 installutil.exe 30 PID 2804 wrote to memory of 2496 2804 installutil.exe 30 PID 2804 wrote to memory of 2520 2804 installutil.exe 32 PID 2804 wrote to memory of 2520 2804 installutil.exe 32 PID 2804 wrote to memory of 2520 2804 installutil.exe 32 PID 2804 wrote to memory of 2520 2804 installutil.exe 32 PID 2804 wrote to memory of 2520 2804 installutil.exe 32 PID 2804 wrote to memory of 2520 2804 installutil.exe 32 PID 2804 wrote to memory of 2520 2804 installutil.exe 32 PID 2804 wrote to memory of 2520 2804 installutil.exe 32 PID 2804 wrote to memory of 2520 2804 installutil.exe 32 PID 2804 wrote to memory of 2520 2804 installutil.exe 32 PID 2804 wrote to memory of 2520 2804 installutil.exe 32 PID 2804 wrote to memory of 2520 2804 installutil.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UwAqxT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9434.tmp"3⤵
- Creates scheduled task(s)
PID:2496
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2520
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d4b27c9473c08e78af6d3af6e0d13312
SHA198a4bf692576d10903d4dd5c7773403b9c031831
SHA25606198a3d446a58260ce6c7c0a9f99664566955b53bc525b91b3f661d3e4a4830
SHA5122e7f094d76c92d878a76cc1d448e2cb10c1cf47f522dd2f0f5867e0150c130b15f34480f1e158fea4666a07df652d2afb8b5084873daffdbc9e68036e4c6d653