Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 07:33
Static task
static1
Behavioral task
behavioral1
Sample
040ff18b515119bac92de538e18db109_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
040ff18b515119bac92de538e18db109_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
040ff18b515119bac92de538e18db109_JaffaCakes118.exe
-
Size
7KB
-
MD5
040ff18b515119bac92de538e18db109
-
SHA1
f56b1876808d4a82fcb6561fce00c351d746461a
-
SHA256
b5169b36f6067ef634dfa9bfe66c9ea0693480f0762a22c45720553315751479
-
SHA512
fda5f6fca0d832866b27829ffe9ed7c0eaa4d7b1dbcce5adfb89eca1629f1d557d6bb69680c31a239bf750ac6e8fb640d3465180f64cf6fd3d00ad561a565251
-
SSDEEP
192:4wND/1KGapJl038Lde3BfLL8x3TTjhvlEsdnSao/s:4Qz1rw1LdeBnOTjhNEmL
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2272 cmd.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
040ff18b515119bac92de538e18db109_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3a729da-eabc-df50-1842-dfd682644311} 040ff18b515119bac92de538e18db109_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
Processes:
040ff18b515119bac92de538e18db109_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\mswapi.dll 040ff18b515119bac92de538e18db109_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
Processes:
040ff18b515119bac92de538e18db109_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a729da-eabc-df50-1842-dfd682644311} 040ff18b515119bac92de538e18db109_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a729da-eabc-df50-1842-dfd682644311}\InprocServer32 040ff18b515119bac92de538e18db109_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a729da-eabc-df50-1842-dfd682644311}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswapi.dll" 040ff18b515119bac92de538e18db109_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a729da-eabc-df50-1842-dfd682644311}\InprocServer32\ThreadingModel = "Apartment" 040ff18b515119bac92de538e18db109_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e3a729da-eabc-df50-1842-dfd682644311}\script = 18b449998991e1c3e4419e26a52314b4141bff389acda062d5152c24721b223aee0d 040ff18b515119bac92de538e18db109_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
040ff18b515119bac92de538e18db109_JaffaCakes118.exedescription pid process target process PID 3028 wrote to memory of 2272 3028 040ff18b515119bac92de538e18db109_JaffaCakes118.exe cmd.exe PID 3028 wrote to memory of 2272 3028 040ff18b515119bac92de538e18db109_JaffaCakes118.exe cmd.exe PID 3028 wrote to memory of 2272 3028 040ff18b515119bac92de538e18db109_JaffaCakes118.exe cmd.exe PID 3028 wrote to memory of 2272 3028 040ff18b515119bac92de538e18db109_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\040ff18b515119bac92de538e18db109_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\040ff18b515119bac92de538e18db109_JaffaCakes118.exe"1⤵
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\delt.bat" "2⤵
- Deletes itself
PID:2272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
329B
MD5ed58dfd87e0e4f70542aa5984587465c
SHA10c2b8ebc4d9bfd4cc1e3f10987298bad6afa8dc2
SHA256688349e3f296fd464a59c2edc16ec68ba1f8a14d8d50fef9cb155c2c7a2d43bd
SHA5120a9c94ec5677b085d31bea2ea7cc801a22eb6fa0eb68f4869692f80b27b8c0b21be4be46f7e7e6b67498fb4a8f0d9d137c565b9bfc3e8faeb6b7d57235a778bf