Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 14:23
Static task
static1
Behavioral task
behavioral1
Sample
06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe
-
Size
685KB
-
MD5
06ca6d90c80d76ef20aab6bc99167779
-
SHA1
a55aa39be0ade1b0d8fd3f9954e7cb5ef7545cf0
-
SHA256
5f6dfef989b9ac4da5ccb5fcb8bc07ee3d6b86188e6d20d5d349d42191e15ab0
-
SHA512
00b6d256687ca02ef0d97317cd3f4712c87a9e777ffcaea9d06ece629513988dbed7a6a69d0500885300790a5824abe3e80c9f858a4b2271810fd1cfe79e2051
-
SSDEEP
12288:qW5n9Ol1DiaEtPBw4UsKK7A+y5gmyF2xP2W21WYdpPz8ZtZVyLmg/TsNQ1oP:qonU+ax4e2myF2x+W21rdpP4ZtZELT8f
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2788 SVCHOST.EXE 2704 Pinnacle.exe -
resource yara_rule behavioral1/memory/2704-29-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/files/0x001a0000000144f6-26.dat upx behavioral1/memory/2704-36-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SVCHOST = "c:\\windows\\SVCHOST.EXE" 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2704-36-0x0000000000400000-0x00000000004A4000-memory.dmp autoit_exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created \??\c:\windows\SVCHOST.EXE 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe File created \??\c:\windows\Pinnacle.exe 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe File opened for modification \??\c:\windows\svchost.inf SVCHOST.EXE File created \??\c:\windows\svchost.inf 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2704 Pinnacle.exe 2788 SVCHOST.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe 2704 Pinnacle.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2788 SVCHOST.EXE 2788 SVCHOST.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2788 2124 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe 28 PID 2124 wrote to memory of 2788 2124 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe 28 PID 2124 wrote to memory of 2788 2124 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe 28 PID 2124 wrote to memory of 2788 2124 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe 28 PID 2124 wrote to memory of 2704 2124 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe 29 PID 2124 wrote to memory of 2704 2124 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe 29 PID 2124 wrote to memory of 2704 2124 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe 29 PID 2124 wrote to memory of 2704 2124 06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06ca6d90c80d76ef20aab6bc99167779_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\windows\SVCHOST.EXE"C:\windows\SVCHOST.EXE"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2788
-
-
C:\windows\Pinnacle.exe"C:\windows\Pinnacle.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261KB
MD5b2755b1b19afb6f091b95a04fcfc7e32
SHA113bb01e2c504b1d76ad20931c33bf1361b8a07e8
SHA2568ec3c7cc0cade861b181c9ebe19b970ee5bdad92cc50d1fc5de8bcc1b3b831ac
SHA5120ee56aa01f3861179aed1790b2ac619c3b0e03ceda4e188fdced6b49c5f9e7d3bbc510f54e8e7b69dcaee2f92594d9e536982e4e5bd4eda5763941651661669e
-
Filesize
500KB
MD52c3a3dfc019e42a6dc14ff2c2de71cd6
SHA1c5013a9e0253928d75176a238bd21ff311364e9e
SHA256d4e7e8e9f0d90d90029c83cdfbe5810bb1b20605d50cd57ef008f63dbe44c858
SHA512f830f3c4fe0c8bf507f541b7c82eba93370c81fcbbaf89e54492873086838e20ac3a4d55957263138f4e76e7cb059ea55ca49dd0e672a4d237b0aa37e1e7abf8
-
Filesize
3B
MD5a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74