Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 22:31
Behavioral task
behavioral1
Sample
13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe
-
Size
389KB
-
MD5
13b5fbb2847f2f50d7b7427f9c1d892b
-
SHA1
ade31cdbbf6ab44e1333fe4b26e3c20345c0e723
-
SHA256
353a89691d9d7e9ac7dd5b723da84e4e84abb2a6a9988b5688b7b320ed61de5e
-
SHA512
e32816a467d8639a1fad36171d5d49c176d21e15f574512e494f1d1ffcfbd4b963f2e07e4abc8c15f6137751270d48aeb8c44725bdc77eeac2baaa53105dc75e
-
SSDEEP
12288:c0Siiu2cOMayaZerXXmhFXtVwrypCQTubDf:K3gV6eihQOXTID
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
Processes:
SERVXD.EXESERVXD.EXESERVXD.EXEPerfWatsonPackage.exeSERVXD.EXEmsvbprj.exemsvbprj.exeiexplorer.exeiexplorer.exepid process 1744 SERVXD.EXE 2600 SERVXD.EXE 2620 SERVXD.EXE 2748 PerfWatsonPackage.exe 2732 SERVXD.EXE 2548 msvbprj.exe 940 msvbprj.exe 1944 iexplorer.exe 2408 iexplorer.exe -
Loads dropped DLL 15 IoCs
Processes:
13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exeSERVXD.EXESERVXD.EXEPerfWatsonPackage.exemsvbprj.exeSERVXD.EXEdw20.exedw20.exepid process 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe 1744 SERVXD.EXE 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe 1744 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 2748 PerfWatsonPackage.exe 2748 PerfWatsonPackage.exe 2548 msvbprj.exe 2732 SERVXD.EXE 2732 SERVXD.EXE 1960 dw20.exe 2244 dw20.exe -
Processes:
resource yara_rule behavioral1/memory/1920-0-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral1/memory/1920-101-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral1/memory/1920-104-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral1/memory/1920-107-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral1/memory/1920-108-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral1/memory/1920-109-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral1/memory/1920-110-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral1/memory/1920-112-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral1/memory/1920-113-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral1/memory/1920-114-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral1/memory/1920-115-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral1/memory/1920-117-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral1/memory/1920-118-0x0000000000400000-0x00000000004EA000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
PerfWatsonPackage.exeiexplorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\© Windows Live Messenger Music Status Plugin Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PerfWatsonPackage.exe" PerfWatsonPackage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\iexplorer.exe" iexplorer.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
SERVXD.EXESERVXD.EXEmsvbprj.exeiexplorer.exedescription pid process target process PID 1744 set thread context of 2600 1744 SERVXD.EXE SERVXD.EXE PID 2620 set thread context of 2732 2620 SERVXD.EXE SERVXD.EXE PID 2548 set thread context of 940 2548 msvbprj.exe msvbprj.exe PID 1944 set thread context of 2408 1944 iexplorer.exe iexplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SERVXD.EXESERVXD.EXEPerfWatsonPackage.exepid process 1744 SERVXD.EXE 1744 SERVXD.EXE 1744 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2748 PerfWatsonPackage.exe 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE 2620 SERVXD.EXE 1744 SERVXD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dw20.exepid process 1960 dw20.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exeSERVXD.EXESERVXD.EXEPerfWatsonPackage.exemsvbprj.exeiexplorer.exeiexplorer.exedescription pid process Token: SeIncreaseQuotaPrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeSecurityPrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeSystemtimePrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeBackupPrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeRestorePrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeShutdownPrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeDebugPrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeUndockPrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeManageVolumePrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeImpersonatePrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: 33 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: 34 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: 35 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe Token: SeDebugPrivilege 1744 SERVXD.EXE Token: SeDebugPrivilege 2620 SERVXD.EXE Token: SeDebugPrivilege 2748 PerfWatsonPackage.exe Token: SeDebugPrivilege 2548 msvbprj.exe Token: SeDebugPrivilege 1944 iexplorer.exe Token: SeDebugPrivilege 2408 iexplorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exeiexplorer.exepid process 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe 2408 iexplorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exeSERVXD.EXESERVXD.EXEPerfWatsonPackage.exemsvbprj.exeSERVXD.EXEmsvbprj.exeiexplorer.exeSERVXD.EXEdescription pid process target process PID 1920 wrote to memory of 1744 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe SERVXD.EXE PID 1920 wrote to memory of 1744 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe SERVXD.EXE PID 1920 wrote to memory of 1744 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe SERVXD.EXE PID 1920 wrote to memory of 1744 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe SERVXD.EXE PID 1744 wrote to memory of 2600 1744 SERVXD.EXE SERVXD.EXE PID 1744 wrote to memory of 2600 1744 SERVXD.EXE SERVXD.EXE PID 1744 wrote to memory of 2600 1744 SERVXD.EXE SERVXD.EXE PID 1744 wrote to memory of 2600 1744 SERVXD.EXE SERVXD.EXE PID 1744 wrote to memory of 2600 1744 SERVXD.EXE SERVXD.EXE PID 1744 wrote to memory of 2600 1744 SERVXD.EXE SERVXD.EXE PID 1744 wrote to memory of 2600 1744 SERVXD.EXE SERVXD.EXE PID 1744 wrote to memory of 2600 1744 SERVXD.EXE SERVXD.EXE PID 1744 wrote to memory of 2600 1744 SERVXD.EXE SERVXD.EXE PID 1920 wrote to memory of 2620 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe SERVXD.EXE PID 1920 wrote to memory of 2620 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe SERVXD.EXE PID 1920 wrote to memory of 2620 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe SERVXD.EXE PID 1920 wrote to memory of 2620 1920 13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe SERVXD.EXE PID 1744 wrote to memory of 2748 1744 SERVXD.EXE PerfWatsonPackage.exe PID 1744 wrote to memory of 2748 1744 SERVXD.EXE PerfWatsonPackage.exe PID 1744 wrote to memory of 2748 1744 SERVXD.EXE PerfWatsonPackage.exe PID 1744 wrote to memory of 2748 1744 SERVXD.EXE PerfWatsonPackage.exe PID 2620 wrote to memory of 2732 2620 SERVXD.EXE SERVXD.EXE PID 2620 wrote to memory of 2732 2620 SERVXD.EXE SERVXD.EXE PID 2620 wrote to memory of 2732 2620 SERVXD.EXE SERVXD.EXE PID 2620 wrote to memory of 2732 2620 SERVXD.EXE SERVXD.EXE PID 2620 wrote to memory of 2732 2620 SERVXD.EXE SERVXD.EXE PID 2620 wrote to memory of 2732 2620 SERVXD.EXE SERVXD.EXE PID 2620 wrote to memory of 2732 2620 SERVXD.EXE SERVXD.EXE PID 2620 wrote to memory of 2732 2620 SERVXD.EXE SERVXD.EXE PID 2620 wrote to memory of 2732 2620 SERVXD.EXE SERVXD.EXE PID 2748 wrote to memory of 2548 2748 PerfWatsonPackage.exe msvbprj.exe PID 2748 wrote to memory of 2548 2748 PerfWatsonPackage.exe msvbprj.exe PID 2748 wrote to memory of 2548 2748 PerfWatsonPackage.exe msvbprj.exe PID 2748 wrote to memory of 2548 2748 PerfWatsonPackage.exe msvbprj.exe PID 2548 wrote to memory of 940 2548 msvbprj.exe msvbprj.exe PID 2548 wrote to memory of 940 2548 msvbprj.exe msvbprj.exe PID 2548 wrote to memory of 940 2548 msvbprj.exe msvbprj.exe PID 2548 wrote to memory of 940 2548 msvbprj.exe msvbprj.exe PID 2548 wrote to memory of 940 2548 msvbprj.exe msvbprj.exe PID 2548 wrote to memory of 940 2548 msvbprj.exe msvbprj.exe PID 2548 wrote to memory of 940 2548 msvbprj.exe msvbprj.exe PID 2548 wrote to memory of 940 2548 msvbprj.exe msvbprj.exe PID 2548 wrote to memory of 940 2548 msvbprj.exe msvbprj.exe PID 2732 wrote to memory of 1944 2732 SERVXD.EXE iexplorer.exe PID 2732 wrote to memory of 1944 2732 SERVXD.EXE iexplorer.exe PID 2732 wrote to memory of 1944 2732 SERVXD.EXE iexplorer.exe PID 2732 wrote to memory of 1944 2732 SERVXD.EXE iexplorer.exe PID 940 wrote to memory of 1960 940 msvbprj.exe dw20.exe PID 940 wrote to memory of 1960 940 msvbprj.exe dw20.exe PID 940 wrote to memory of 1960 940 msvbprj.exe dw20.exe PID 940 wrote to memory of 1960 940 msvbprj.exe dw20.exe PID 1944 wrote to memory of 2408 1944 iexplorer.exe iexplorer.exe PID 1944 wrote to memory of 2408 1944 iexplorer.exe iexplorer.exe PID 1944 wrote to memory of 2408 1944 iexplorer.exe iexplorer.exe PID 1944 wrote to memory of 2408 1944 iexplorer.exe iexplorer.exe PID 1944 wrote to memory of 2408 1944 iexplorer.exe iexplorer.exe PID 1944 wrote to memory of 2408 1944 iexplorer.exe iexplorer.exe PID 1944 wrote to memory of 2408 1944 iexplorer.exe iexplorer.exe PID 1944 wrote to memory of 2408 1944 iexplorer.exe iexplorer.exe PID 1944 wrote to memory of 2408 1944 iexplorer.exe iexplorer.exe PID 2600 wrote to memory of 2244 2600 SERVXD.EXE dw20.exe PID 2600 wrote to memory of 2244 2600 SERVXD.EXE dw20.exe PID 2600 wrote to memory of 2244 2600 SERVXD.EXE dw20.exe PID 2600 wrote to memory of 2244 2600 SERVXD.EXE dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\13b5fbb2847f2f50d7b7427f9c1d892b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\SERVXD.EXE"C:\Users\Admin\AppData\Local\Temp\SERVXD.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\SERVXD.EXEC:\Users\Admin\AppData\Local\Temp\SERVXD.EXE3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 4844⤵
- Loads dropped DLL
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\PerfWatsonPackage.exe"C:\Users\Admin\AppData\Local\Temp\PerfWatsonPackage.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\msvbprj.exe"C:\Users\Admin\AppData\Local\Temp\msvbprj.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\msvbprj.exeC:\Users\Admin\AppData\Local\Temp\msvbprj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6926⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\SERVXD.EXE"C:\Users\Admin\AppData\Local\Temp\SERVXD.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\SERVXD.EXEC:\Users\Admin\AppData\Local\Temp\SERVXD.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Roaming\iexplorer.exe"C:\Users\Admin\AppData\Roaming\iexplorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Roaming\iexplorer.exeC:\Users\Admin\AppData\Roaming\iexplorer.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD55de5595461e7d2128487452a00021d0b
SHA1475ac303168d7165ba5d51df5b46e5e6169d03fc
SHA2562cf9865737b18d9bde9e44c59a039655dca28706f55097a149361e6b6bf54259
SHA512799ed7527dedce3e602751032b68d21f619daa45c39d608f07973e9ce316dde947ed716c7f119989f2d7d793a6b14ae05b4f103d49d2b80fe8acd67faac509ca
-
Filesize
132KB
MD5bfcda558599642269b2856d4d80b58ee
SHA109c0831620131bcaca74307730cc43c67522b2ba
SHA2566e72cf5e30718749d6e926742bd6b9b5466194b0a7e9cbea0b38d76c41394329
SHA512cabc48867a54a432c9236c0d9fe4e1e019ec185d48a3bfe83548f14eb7e619ae23342917540fb3e28a584a44188a1ed81bd5214d5949e59d554eb5ff468893b2