Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20/06/2024, 03:36
Static task
static1
Behavioral task
behavioral1
Sample
0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe
-
Size
211KB
-
MD5
0274d65f4ee68b1fb425357c713cf8bd
-
SHA1
e9a7c1d9e8296eb8495160749d188aee55aaad02
-
SHA256
7146f9eee55a4519eed0b9cde362fb84e47115b576937a149d613e8e018a23d6
-
SHA512
df68405bb61675e3cc377d0e6a5972cbd5c03a1f37c708f24bb25ca323ac56569e17f1c6f62b2d34b503a447f705e46e566dc190d31cc959482797d9ef68dc66
-
SSDEEP
3072:oUGPS1zzF2puPFG0bGzIMnzOI4faa8B57+g5B3Qg+YMDUVLZq6mViKJTjwKCtBGx:P1fFvtnqz5z9a8B5VfQChqxHqFg2Fk
Malware Config
Signatures
-
Event Triggered Execution: AppCert DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
-
Deletes itself 1 IoCs
pid Process 2780 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1224 Explorer.EXE -
Loads dropped DLL 8 IoCs
pid Process 2356 0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe 2996 rundll32.exe 2996 rundll32.exe 2996 rundll32.exe 2996 rundll32.exe 2780 cmd.exe 2976 attrib.exe 860 Process not Found -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\dpnsInit64.dll 0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dpnsInit.dll 0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2356 0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2996 2356 0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe 28 PID 2356 wrote to memory of 2996 2356 0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe 28 PID 2356 wrote to memory of 2996 2356 0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe 28 PID 2356 wrote to memory of 2996 2356 0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe 28 PID 2356 wrote to memory of 2780 2356 0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe 29 PID 2356 wrote to memory of 2780 2356 0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe 29 PID 2356 wrote to memory of 2780 2356 0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe 29 PID 2356 wrote to memory of 2780 2356 0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe 29 PID 2356 wrote to memory of 2780 2356 0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe 29 PID 2356 wrote to memory of 2780 2356 0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe 29 PID 2356 wrote to memory of 2780 2356 0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe 29 PID 2996 wrote to memory of 1224 2996 rundll32.exe 21 PID 2996 wrote to memory of 1224 2996 rundll32.exe 21 PID 2780 wrote to memory of 2976 2780 cmd.exe 31 PID 2780 wrote to memory of 2976 2780 cmd.exe 31 PID 2780 wrote to memory of 2976 2780 cmd.exe 31 PID 2780 wrote to memory of 2976 2780 cmd.exe 31 PID 2780 wrote to memory of 2976 2780 cmd.exe 31 PID 2780 wrote to memory of 2976 2780 cmd.exe 31 PID 2780 wrote to memory of 2976 2780 cmd.exe 31 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2976 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\system32\dpnsInit64.dll",CreateProcessNotify3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259414826.bat" "C:\Users\Admin\AppData\Local\Temp\0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe""3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\attrib.exeattrib -s -r -h"C:\Users\Admin\AppData\Local\Temp\0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe"4⤵
- Loads dropped DLL
- Views/modifies file attributes
PID:2976
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97B
MD5d226a657b279c5fc0a892748230a56ff
SHA1fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5
SHA2569dae2767b8e3499d37418a75ddd04d457c7ec8d6c8f312ee109c95a8a97e7761
SHA51207d55ccf3b511c3be64f6dcd05cea3feaafb286196e5d7ba30016ab6d9c0d656fb7cde8eb1ce0ef28a41f1f3f00f0e29020c92479619fd43e4ed47b829f8bf2a
-
Filesize
65KB
MD583d1388959ad733f40c785d751aa119a
SHA1f3cb42e0ed55f139feada3c1d2ce5528874c9fac
SHA256f1ac4f44060d244cdce1fe85d7ae9758f3217415735eefa9f055457bfb74d484
SHA51213b499cd0a3e6050a0bbed61df3cec1a9138e68cea6e9be77a638c5b5d3ec1ac7040022b94830112363052d4ddf4ac58af23a201ce9bf718977505b2b7d74c77
-
Filesize
73KB
MD5bf1f0dc6eb99b444bc727c172c4524d0
SHA157b660e21602b7e2138751d63829d61c801b2086
SHA2568c27915722deb5fbd4b86cfe0770e8772c172c6c12932b3c3e539a0d57831453
SHA512a669747f6ae13973542a7f9acedf7a37f937b75e20fe8373980e8793817d0b94eabb5c49d20fd2b65a0f9f636e6d1f5e3f73c599cd956892ec3d47f310cedb8d