Analysis
-
max time kernel
143s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 12:48
Behavioral task
behavioral1
Sample
023005fb0f1eac24563f84180c659263_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
023005fb0f1eac24563f84180c659263_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
023005fb0f1eac24563f84180c659263_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
023005fb0f1eac24563f84180c659263
-
SHA1
e3255e1fdee14c848f26a8849667300164b6b101
-
SHA256
7191e62ead1231701c2d050c13df42f11ff023a45c462ceb238404cd50aa6c7b
-
SHA512
81c0763adafa7d6cad53ad5bccbdaaeb47678217df5846f5993565a79d796eebb33d4295b9a126d11f6a1201dc2faeef071e3749d8c8643ea142b45ec8fdbe54
-
SSDEEP
49152:V1Wd46hen6dhZhOOtSkOI/WeP1g0Ztgd0gUigY6ukXO:adLk6dhXfSkOI/LXZta0prXO
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1596 setup.exe 3908 EEProSetup.exe 4876 is-7K97U.tmp 3512 ~qwertyuiopa.exe -
Loads dropped DLL 2 IoCs
pid Process 1360 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 3512 ~qwertyuiopa.exe -
resource yara_rule behavioral2/memory/1360-0-0x0000000000400000-0x0000000000842500-memory.dmp upx behavioral2/memory/1360-1-0x0000000000400000-0x0000000000842500-memory.dmp upx behavioral2/files/0x000700000002340d-30.dat upx behavioral2/memory/1360-36-0x0000000010000000-0x00000000100A0000-memory.dmp upx behavioral2/memory/1360-34-0x0000000000400000-0x0000000000842500-memory.dmp upx behavioral2/files/0x0007000000023418-43.dat upx behavioral2/memory/1360-42-0x0000000010000000-0x00000000100A0000-memory.dmp upx behavioral2/memory/3512-46-0x0000000000400000-0x000000000043D500-memory.dmp upx behavioral2/memory/1360-44-0x0000000000400000-0x0000000000842500-memory.dmp upx behavioral2/files/0x000700000002341b-51.dat upx behavioral2/memory/3512-53-0x0000000010000000-0x0000000010064000-memory.dmp upx behavioral2/memory/3512-56-0x0000000000400000-0x000000000043D500-memory.dmp upx behavioral2/memory/3512-58-0x0000000010000000-0x0000000010064000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2} ~qwertyuiopa.exe -
Modifies WinLogon 2 TTPs 13 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ftpsys\Impersonate = "0" 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\javaftp\Asynchronous = "1" ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\javaftp\Startup = "UserLogOn" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\javaftp ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ftpsys 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ftpsys\Asynchronous = "1" 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ~qwertyuiopa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\javaftp\Impersonate = "0" ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ftpsys\DllName = "C:\\Windows\\Microsoft.NET\\Framework64\\ftpsys.dll" 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ftpsys\Startup = "OnEvent" 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\javaftp\DllName = "c:\\windows\\fonts\\javaftp.dll" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\javaftp\Logoff = "UserLogOff" ~qwertyuiopa.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Drivers\javaftp.dl ~qwertyuiopa.exe File created C:\Windows\Fonts\javaftp.dl ~qwertyuiopa.exe File created C:\Windows\java\ftpsys.dl 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework64\ftpsys.dl 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\ftpsys.dll 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe File created C:\Windows\Driver Cache\javaftp.dl ~qwertyuiopa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 23 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer.1 ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer\ = "PsapiAnalyzer Object" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer\CLSID ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer\CurVer ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer\CurVer\ = "PsapiAnalyzer.PsapiAnalyzer.1" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\VersionIndependentProgID ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\InprocServer32\ = "C:\\Windows\\Fonts\\javaftp.dll" ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\AppID ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer.1\CLSID ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer.1\CLSID\ = "{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\TypeLib ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\VersionIndependentProgID\ = "PsapiAnalyzer.PsapiAnalyzer" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\Programmable ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\ = "PsapiAnalyzer Object" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\ProgID ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer\CLSID\ = "{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2} ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\ProgID\ = "PsapiAnalyzer.PsapiAnalyzer.1" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\InprocServer32 ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\InprocServer32\ThreadingModel = "apartment" ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7EB62D2-5C2D-4358-92DE-94CC31AEBCD2}\TypeLib\ = "{FD344746-28E1-4495-9F6B-EF629FF475AF}" ~qwertyuiopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer.1\ = "PsapiAnalyzer Object" ~qwertyuiopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PsapiAnalyzer.PsapiAnalyzer ~qwertyuiopa.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1360 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 1360 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 1360 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 1360 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 3512 ~qwertyuiopa.exe 3512 ~qwertyuiopa.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3512 ~qwertyuiopa.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1360 wrote to memory of 1596 1360 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 80 PID 1360 wrote to memory of 1596 1360 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 80 PID 1360 wrote to memory of 1596 1360 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 80 PID 1596 wrote to memory of 3908 1596 setup.exe 81 PID 1596 wrote to memory of 3908 1596 setup.exe 81 PID 1596 wrote to memory of 3908 1596 setup.exe 81 PID 3908 wrote to memory of 4876 3908 EEProSetup.exe 82 PID 3908 wrote to memory of 4876 3908 EEProSetup.exe 82 PID 3908 wrote to memory of 4876 3908 EEProSetup.exe 82 PID 1360 wrote to memory of 3472 1360 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 56 PID 1360 wrote to memory of 3512 1360 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 85 PID 1360 wrote to memory of 3512 1360 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 85 PID 1360 wrote to memory of 3512 1360 023005fb0f1eac24563f84180c659263_JaffaCakes118.exe 85 PID 3512 wrote to memory of 3472 3512 ~qwertyuiopa.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\023005fb0f1eac24563f84180c659263_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\023005fb0f1eac24563f84180c659263_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\setup.exeC:\Users\Admin\AppData\Local\Temp\setup.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\EEProSetup.exeC:\Users\Admin\AppData\Local\Temp\EEProSetup.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\is-8RP9T.tmp\is-7K97U.tmp"C:\Users\Admin\AppData\Local\Temp\is-8RP9T.tmp\is-7K97U.tmp" /SL4 $301DA "C:\Users\Admin\AppData\Local\Temp\EEProSetup.exe" 1393535 522245⤵
- Executes dropped EXE
PID:4876
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\~qwertyuiopa.exeC:\Users\Admin\AppData\Local\Temp\~qwertyuiopa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5251c34d11dd66e2c0b678c3af9813c4a
SHA13aa135742a05bf768e2e4410de0931586bd4a27d
SHA256874912d8e3bd9369fee116ef6b72cde8f44c9be57259accff41ec3e62d2f039e
SHA512966e6b5b8c96626d32d8726bca630de2092786b9fcb99a364a0e52880d66f5b7aa9feac256300a49535c2a5b2b41f232170623749a186e42a2f853182855fbfe
-
Filesize
643KB
MD5036ef63e2f9b138a42d6adb54ec0cd1e
SHA1353db5d438205a726a6d54beb62f9c62638f501d
SHA25671b487f0523f213004766402b22bf86fa0ef9891e940d2a4cb12eba6627e7cc6
SHA51231b8f6e76c8c4f5323f12384c41f6f2b04e58545c121da71e2a4da947a9c0aea9eb05df4f8199cc6dc89bc238577c4e2d5fb4b66e77e1130bc72b6c38f207cc9
-
Filesize
1.6MB
MD52c131f0eaf3c74c05e0620a30848db74
SHA1e1fd5f28a0ad5df9bb7ded2fccf3017d29d19e1e
SHA25669d8ae1e9ea15adee88fa563e45a721f5d073799db2e64520ce19542757d38a0
SHA51226ca32ae597ca74df495bf0a62b9c7beae91e4ac0509ea028808098e3b203343f5c6685d5ce4582bcd8e6b103f08881c3e9d8863c1a33638f4d5e6c439fa21ae
-
Filesize
201KB
MD55bcfb909d7b9377f249e7c2a41c16490
SHA1c6353932216f3fb1976fe6b362ba5a373eafb842
SHA256cafa0fd6de888d191d65a35bc1ddfcc85c665c50e7fe835a42d5d0f6e335a012
SHA5122d325c1f39bb9eac5c4816255be9b44c76a90f6fb7253691ef138e7697d1df5ff85e2d09616d81784b83de3835cb49d31e0a5a0d84e6d5b00d23e2773306e526
-
Filesize
163KB
MD5a00286212e09124078c937614be400d3
SHA1d18b980423ef3b695002a5be256aace6a7140396
SHA2563b3eacf2e68464e1a6cde21bc42a3a2c5dede0bf1c6a22bd592f6a77a3ff45ca
SHA512caf4313a0ad5076d6fdec9e92f71e7555531b7ca9ab32b334ee246a95c4f9a32329d59788f14e19a6033651367c23ed64994dd16e55b726a5f821daa21381c01
-
Filesize
248KB
MD5aeeb64067a87e8e46e522c2eeaf45535
SHA17a31869b5a66182eb16e0b52ac8168ad9a1bb27c
SHA2563761ff04e5e9be07a206e1292c4c6d83f7fccec65f793ddb630637bd18982c7f
SHA512221d82b94814b9d9e526a19576b8424a174e88f9b46388d42fdbb1e7798bc46bcd906e61273f2b7e2e4942c85c46228201d94ffa9632964e966bdd5c182d0c35