Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 03:44
Static task
static1
Behavioral task
behavioral1
Sample
acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe
-
Size
4.3MB
-
MD5
acc75e7e174203795154a68858b9b8ff
-
SHA1
263f3d3a79f9fe90c7cf162fec93e5b85f5f29c4
-
SHA256
4dd2cebb71124be2cfc3ad7f79ddb4e113c7629c22e0d4eb8ab8c372c2438610
-
SHA512
13d2d38ff826054ce052483a2836fa2e7e1e4bc30060544de3203678648318f693d866dd95aaf0ebf20979b20729923c25f75feac2ec7b4fc21aa8e707d1d875
-
SSDEEP
98304:aqSh5zRZwYeMMIV3PsU6Z8y6TaOphYLYSHinQpUt/YV5DyzFf:ajHYOpCm/s9y
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Чистилка.exepid process 4888 Чистилка.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exedescription ioc process File opened for modification \??\PhysicalDrive0 acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exedescription ioc process File created C:\Windows\fonts\pns.ttf acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exeЧистилка.exedescription pid process Token: SeTakeOwnershipPrivilege 4808 acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe Token: SeRestorePrivilege 4808 acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe Token: SeDebugPrivilege 4808 acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4888 Чистилка.exe Token: SeRestorePrivilege 4888 Чистилка.exe Token: SeDebugPrivilege 4888 Чистилка.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exepid process 4808 acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe 4808 acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe 4808 acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exepid process 4808 acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe 4808 acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe 4808 acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exepid process 4808 acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe 4808 acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exedescription pid process target process PID 4808 wrote to memory of 4888 4808 acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe Чистилка.exe PID 4808 wrote to memory of 4888 4808 acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe Чистилка.exe PID 4808 wrote to memory of 4888 4808 acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe Чистилка.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\acc75e7e174203795154a68858b9b8ff_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Чистилка\Чистилка.exeC:\ProgramData\Чистилка\Чистилка.exe /srvcreate2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Чистилка\Чистилка.exeFilesize
4.3MB
MD5acc75e7e174203795154a68858b9b8ff
SHA1263f3d3a79f9fe90c7cf162fec93e5b85f5f29c4
SHA2564dd2cebb71124be2cfc3ad7f79ddb4e113c7629c22e0d4eb8ab8c372c2438610
SHA51213d2d38ff826054ce052483a2836fa2e7e1e4bc30060544de3203678648318f693d866dd95aaf0ebf20979b20729923c25f75feac2ec7b4fc21aa8e707d1d875