Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 20:28
Static task
static1
Behavioral task
behavioral1
Sample
0f6b00b0c5a26a5aa8942ae356329945_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
0f6b00b0c5a26a5aa8942ae356329945_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
0f6b00b0c5a26a5aa8942ae356329945
-
SHA1
1f412a62f50ff71f0b2b2f54aaa980962ebfd8a4
-
SHA256
6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3
-
SHA512
e8c6ff3952b6b1066d113ce8b1e76ed20ec8eb5511045f374706fa2a44cf7b6d096e56a01e2318b872de4a5530872132053f13836d8ff4ffa75396a1ee4b34d9
-
SSDEEP
49152:Na175O/mZxrkaH1EN5/yxnxEil7F8vSZBWwj186KQGwi38KQrF+FO7p1FzohbJq:uO/mZxbHW7yxnxECF8vSZBW+Pbi38KQs
Malware Config
Signatures
-
Detects PlugX payload 14 IoCs
resource yara_rule behavioral2/memory/2568-42-0x0000000003550000-0x000000000357E000-memory.dmp family_plugx behavioral2/memory/4692-46-0x00000000012F0000-0x000000000131E000-memory.dmp family_plugx behavioral2/memory/2568-59-0x0000000003550000-0x000000000357E000-memory.dmp family_plugx behavioral2/memory/4692-60-0x00000000012F0000-0x000000000131E000-memory.dmp family_plugx behavioral2/memory/4692-61-0x00000000012F0000-0x000000000131E000-memory.dmp family_plugx behavioral2/memory/4692-58-0x00000000012F0000-0x000000000131E000-memory.dmp family_plugx behavioral2/memory/4692-47-0x00000000012F0000-0x000000000131E000-memory.dmp family_plugx behavioral2/memory/1928-69-0x0000000001430000-0x000000000145E000-memory.dmp family_plugx behavioral2/memory/1928-71-0x0000000001430000-0x000000000145E000-memory.dmp family_plugx behavioral2/memory/1928-72-0x0000000001430000-0x000000000145E000-memory.dmp family_plugx behavioral2/memory/4692-208-0x00000000012F0000-0x000000000131E000-memory.dmp family_plugx behavioral2/memory/4692-554-0x00000000012F0000-0x000000000131E000-memory.dmp family_plugx behavioral2/memory/4692-565-0x00000000012F0000-0x000000000131E000-memory.dmp family_plugx behavioral2/memory/4692-566-0x00000000012F0000-0x000000000131E000-memory.dmp family_plugx -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\meekness.lnk rudiment.exe -
Executes dropped EXE 1 IoCs
pid Process 2568 rudiment.exe -
Loads dropped DLL 1 IoCs
pid Process 2568 rudiment.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\MJ svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 36004200450033004500440043004500340043003600380042003500390042000000 svchost.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4640 WINWORD.EXE 4640 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4532 0f6b00b0c5a26a5aa8942ae356329945_JaffaCakes118.exe 4532 0f6b00b0c5a26a5aa8942ae356329945_JaffaCakes118.exe 4692 svchost.exe 4692 svchost.exe 4692 svchost.exe 4692 svchost.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 4692 svchost.exe 4692 svchost.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 4692 svchost.exe 4692 svchost.exe 4692 svchost.exe 4692 svchost.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 4692 svchost.exe 4692 svchost.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 4692 svchost.exe 4692 svchost.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe 1928 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4692 svchost.exe 1928 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2568 rudiment.exe Token: SeTcbPrivilege 2568 rudiment.exe Token: SeDebugPrivilege 4692 svchost.exe Token: SeTcbPrivilege 4692 svchost.exe Token: SeDebugPrivilege 1928 msiexec.exe Token: SeTcbPrivilege 1928 msiexec.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 4532 0f6b00b0c5a26a5aa8942ae356329945_JaffaCakes118.exe 4532 0f6b00b0c5a26a5aa8942ae356329945_JaffaCakes118.exe 4640 WINWORD.EXE 4640 WINWORD.EXE 4640 WINWORD.EXE 4640 WINWORD.EXE 4640 WINWORD.EXE 4640 WINWORD.EXE 4640 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4532 wrote to memory of 2568 4532 0f6b00b0c5a26a5aa8942ae356329945_JaffaCakes118.exe 85 PID 4532 wrote to memory of 2568 4532 0f6b00b0c5a26a5aa8942ae356329945_JaffaCakes118.exe 85 PID 4532 wrote to memory of 2568 4532 0f6b00b0c5a26a5aa8942ae356329945_JaffaCakes118.exe 85 PID 2568 wrote to memory of 4692 2568 rudiment.exe 86 PID 2568 wrote to memory of 4692 2568 rudiment.exe 86 PID 2568 wrote to memory of 4692 2568 rudiment.exe 86 PID 2568 wrote to memory of 4692 2568 rudiment.exe 86 PID 2568 wrote to memory of 4692 2568 rudiment.exe 86 PID 2568 wrote to memory of 4692 2568 rudiment.exe 86 PID 2568 wrote to memory of 4692 2568 rudiment.exe 86 PID 2568 wrote to memory of 4692 2568 rudiment.exe 86 PID 4692 wrote to memory of 1928 4692 svchost.exe 90 PID 4692 wrote to memory of 1928 4692 svchost.exe 90 PID 4692 wrote to memory of 1928 4692 svchost.exe 90 PID 4692 wrote to memory of 1928 4692 svchost.exe 90 PID 4692 wrote to memory of 1928 4692 svchost.exe 90 PID 4692 wrote to memory of 1928 4692 svchost.exe 90 PID 4692 wrote to memory of 1928 4692 svchost.exe 90 PID 4692 wrote to memory of 1928 4692 svchost.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f6b00b0c5a26a5aa8942ae356329945_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0f6b00b0c5a26a5aa8942ae356329945_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\rudiment.exeC:\Users\Admin\AppData\Local\Temp\rudiment.exe2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD5553d8c46167760c355a5b78be01fc9cb
SHA10310fde0e9ca8689ce50e8f289bc4705b8b2f2a0
SHA256e3f41c94178ea5accdf0df7085e521a0e37f00c3e8a3592703ea437c845ff107
SHA512530f255afb05d41dbe35117fa723662f1378ed94c3c1f2bebb60631abe8be92046452ebcdf0371812daefa27c9036d521cc513804e2c299c7f7936eabeb1cb6c
-
Filesize
47KB
MD5b5bdaba69689e8be57ce78bb6845e4f0
SHA1573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a
SHA2561e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad
SHA512e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5
-
Filesize
112KB
MD5f4088f557d6fd4b5f745cbc2295c68e7
SHA1de858db1019668e7f55a0f0bee48bea1d93c1701
SHA2568c9f78462bf05c2ac3b5af2ad01ae764d921cf1ab7baa82763f9f7d636903a26
SHA512f79e1d1bab24c4fa3622c8f11ced0f599af2783dddcfb7304d30ec72ddd82123c2bdee6d64251d50a5aa9dcc7619e7ce1097f5e26cac5869eb9c4df0a7e647f8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl
Filesize245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84