Overview
overview
7Static
static
3a5aae6dc2d...18.exe
windows7-x64
7a5aae6dc2d...18.exe
windows10-2004-x64
7$PLUGINSDI...ig.dll
windows7-x64
3$PLUGINSDI...ig.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...or.dll
windows7-x64
3$PLUGINSDI...or.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$PLUGINSDIR/t1.dll
windows7-x64
1$PLUGINSDIR/t1.dll
windows10-2004-x64
1IWsrv.exe
windows7-x64
1IWsrv.exe
windows10-2004-x64
1Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 13:02
Static task
static1
Behavioral task
behavioral1
Sample
a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/IpConfig.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/IpConfig.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/WmiInspector.dll
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/WmiInspector.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/t1.dll
Resource
win7-20240419-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/t1.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
IWsrv.exe
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
IWsrv.exe
Resource
win10v2004-20240508-en
General
-
Target
a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe
-
Size
301KB
-
MD5
a5aae6dc2d5787d13aaeb4e88ca40039
-
SHA1
2487ebe95cb2643399d92fffde9285faf2420d99
-
SHA256
21ad01dc4e71eaabdbb4bc20c1e3caf42d930b6c5dc2ef8fd730dd53784ab0e3
-
SHA512
b0a48cf0745e7cf0ec1e048cac5a475a897a03e3533a8acbb53910e53679623ec0ea6f408860a67de21cd58598323adcfc3e54492cc1bc13a8587c6e536d654d
-
SSDEEP
6144:wzfj/e3up4c2aArt0UU+AmPZ9dTHxno/HnlDPlY0WPmKXtqVRMn/F:G/e3up4c6rt0Z+AmDdTHxnuHtlY0WPmO
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
IWsrv.exeIWsrv.exepid process 1920 IWsrv.exe 1860 IWsrv.exe -
Loads dropped DLL 13 IoCs
Processes:
a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exepid process 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Finalize = "C:\\Users\\Admin\\AppData\\Roaming\\InstallW\\Full_Setup.exe /runonce" a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exepid process 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exedescription pid process target process PID 2192 wrote to memory of 1920 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe IWsrv.exe PID 2192 wrote to memory of 1920 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe IWsrv.exe PID 2192 wrote to memory of 1920 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe IWsrv.exe PID 2192 wrote to memory of 1920 2192 a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe IWsrv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5aae6dc2d5787d13aaeb4e88ca40039_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exeC:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe install2⤵
- Executes dropped EXE
PID:1920
-
C:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exeC:\Users\Admin\AppData\Roaming\InstallW\IWsrv.exe1⤵
- Executes dropped EXE
PID:1860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiC42.tmp\IpConfig.dllFilesize
114KB
MD5a3ed6f7ea493b9644125d494fbf9a1e6
SHA1ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8
SHA256ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08
SHA5127099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1
-
\Users\Admin\AppData\Local\Temp\nsiC42.tmp\WmiInspector.dllFilesize
104KB
MD58531346d16fa5d4768f6530d2eb2b65c
SHA1153601d36aa0ddfbc597b1e890917364878791ca
SHA256a9347413de4b0f90cac0b5e300cec9c867bdb28bd7a60d07b10fd31ee56c60cb
SHA512f214e75de20edeb7eece02659fd7dafc8c3d63c2350c58825bc6e9ce0b73237962d8273b4bc803a2f304cee9f9cad1cd4edab28322c1e678bc25eb88faa6a841
-
\Users\Admin\AppData\Local\Temp\nsiC42.tmp\inetc.dllFilesize
20KB
MD5f02155fa3e59a8fc48a74a236b2bb42e
SHA16d76ee8f86fb29f3352c9546250d940f1a476fb8
SHA256096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999
SHA5128be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399
-
\Users\Admin\AppData\Local\Temp\nsiC42.tmp\t1.dllFilesize
4KB
MD5058ba8a0916d957d3b91d08ea2e876e2
SHA11a7c36c50c5bd93f535b624a2882bc3905e7e7f3
SHA256510af8083c0eef8b04e1171a9d6d94c64a1859701bbb106c565d2ec869437661
SHA51224124b45bf42e186a06fcb71ca7e2c1fed3b762b681286185d7cdff53b3800c35b6326a6f21c82e9de59d8bbcb3fdab4a5c1cc9c8683e43ff230b07913d26f02
-
\Users\Admin\AppData\Roaming\InstallW\IWsrv.exeFilesize
54KB
MD579cd0ba3574f3decd2d424fac08025c4
SHA19c0429c61127ebfd147bff40f6439b50fd2fac29
SHA2568eea14b5404a475245bf79e30c09c59848f1fd5c71535db1e3473a7c4107c801
SHA51239538f6747a74fe719b371f854d7b349f6c23cf7f80a94ffc4fd68d3d088f137989ef9e05c26e722578cab10c87e7128d80ff73c7e8bfebfd334d5282a9e5fed
-
memory/2192-18-0x0000000002C00000-0x0000000002C01000-memory.dmpFilesize
4KB
-
memory/2192-54-0x0000000002150000-0x000000000216C000-memory.dmpFilesize
112KB
-
memory/2192-78-0x0000000002C00000-0x0000000002C01000-memory.dmpFilesize
4KB