Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 11:30
Static task
static1
Behavioral task
behavioral1
Sample
a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe
-
Size
466KB
-
MD5
a97144af800ff333f4b8a0361d791087
-
SHA1
131cef8e8239477f295dfb84a70304d62652bd6b
-
SHA256
125273103d910e7aec35c4bf75fce7fb0d000eee31b9b5409119f38069dbb722
-
SHA512
ca61bfb7da94969720f2c54ba5c6b16b151405777612f0c78a17f885e668e8bcb69b45ff35c3fcc07a3bde7911d5956ab5f13640a1a806092803eea0b6cb07bb
-
SSDEEP
6144:BWylDcksxWe65bf67rHzZ8Ees9gbCKbGHOOJ3Vd6QBOT+VTJQQCklKAmAAcOGRwj:0yGksh8bfUrH2osCKi7kQBOTrE5F9wfL
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2068 PEVerify.exe -
Loads dropped DLL 1 IoCs
pid Process 2948 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe = "\\flash player\\flashplayer.exe" a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\flash player\\flashplayer.exe" a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2284 set thread context of 2732 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2068 PEVerify.exe 2068 PEVerify.exe 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2068 PEVerify.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2068 PEVerify.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2068 PEVerify.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2068 PEVerify.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2068 PEVerify.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 2068 PEVerify.exe 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe Token: SeDebugPrivilege 2068 PEVerify.exe Token: SeDebugPrivilege 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2284 wrote to memory of 2732 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 29 PID 2284 wrote to memory of 2732 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 29 PID 2284 wrote to memory of 2732 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 29 PID 2284 wrote to memory of 2732 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 29 PID 2284 wrote to memory of 2732 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 29 PID 2284 wrote to memory of 2732 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 29 PID 2284 wrote to memory of 2732 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 29 PID 2284 wrote to memory of 2732 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 29 PID 2284 wrote to memory of 2732 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 29 PID 2284 wrote to memory of 2948 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 30 PID 2284 wrote to memory of 2948 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 30 PID 2284 wrote to memory of 2948 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 30 PID 2284 wrote to memory of 2948 2284 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 30 PID 2948 wrote to memory of 2068 2948 cmd.exe 32 PID 2948 wrote to memory of 2068 2948 cmd.exe 32 PID 2948 wrote to memory of 2068 2948 cmd.exe 32 PID 2948 wrote to memory of 2068 2948 cmd.exe 32 PID 2732 wrote to memory of 2068 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 32 PID 2732 wrote to memory of 2068 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 32 PID 2732 wrote to memory of 2068 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 32 PID 2732 wrote to memory of 2068 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 32 PID 2732 wrote to memory of 2068 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 32 PID 2732 wrote to memory of 2068 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 32 PID 2732 wrote to memory of 2068 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 32 PID 2732 wrote to memory of 2068 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 32 PID 2732 wrote to memory of 2068 2732 a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\PEVerify.exe" "C:\Users\Admin\AppData\Local\Temp\a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe" & exit2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Roaming\PEVerify.exe"C:\Users\Admin\AppData\Roaming\PEVerify.exe" "C:\Users\Admin\AppData\Local\Temp\a97144af800ff333f4b8a0361d791087_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381B
MD51e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA14260284ce14278c397aaf6f389c1609b0ab0ce51
SHA2564bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA5128c290919e456a80d87dd6d243e4713945432b9a2bc158bfa5b81ae9fed1a8dd693da51914fa4014c5b8596e36186a9c891741c3b9011958c7ac240b7d818f815
-
Filesize
4B
MD5361440528766bbaaaa1901845cf4152b
SHA1224b4abdea2bf26fdd64a13e71029cf0d37606ac
SHA256b549a5b406eaace4dd104bfee203c7e838567e7e45174637cbef1a5718f6912e
SHA5129a352d9c1e6acecee747ef7ec03d052d37eafa0ca09746d100cd79c0eafa7b568901e9b54896fa91ab6c32a96d9b95d276a7d9d34675bcd912987794c06682f5
-
Filesize
59B
MD5903bc0b85fb3242bd00462af69a6b34e
SHA120d8d42695d74cae9a05d04978ef79e015fc887c
SHA256e9d122b170c38b2fe8dc1855b347d00cce07c7718d23516ffa9e1a637c6fcb89
SHA5121ed4e6622cf36b361b10446377db746d45d26ce2c89d7ab13451107040d9cb7982cad2a810d23d737d49364c5b762ccfa54c74e6481c5cab70c509c618d119fb
-
Filesize
53KB
MD56c93f0cc87ec29681dc4c92eed621884
SHA195c432cabca506dc9ce77d2eb36a820a9c706b2e
SHA256f7a659e450b6f82939e4e48436abff93788bdd41b0a4b34d25d72f24a3e24d1b
SHA512dde8fa67890bdc07deb86b6e10b9cf773ac6bb3f0315de19cc67df2a6443d88d40e2a932a13e357c7d311863a495a88c20b2a034ba0a7862fe76893bf9c6427d