Analysis
-
max time kernel
43s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 08:03
Behavioral task
behavioral1
Sample
1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe
-
Size
955KB
-
MD5
1148dd1cc69dc62df9c3686c8e126c4e
-
SHA1
306e3a04e66886a3f3c3c21a320b17bd21ae43b3
-
SHA256
1e3dcabb30ae28ac2e994d0b09395988eabeb16d86286ab91d7c790fa154fea9
-
SHA512
a572acbc3098ab2ebcfcc1cc7ec4e1e4be2d14c073f2b5b95860ab3d6ed3902fb88a6f4d4ac79842a6ba92d89a105d1418503617d84867a637676031dffbdf22
-
SSDEEP
12288:hiZ4lgGGnVAAtZMC12BXnh6ya+sNzaOvoJpaz/g/J/vVQT:sGlX8VAAtZp43u+sNH8az/g/J/NQ
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\acpiec.sys 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\pcidump.sys 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe -
Loads dropped DLL 6 IoCs
pid Process 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 2464 rundll32.exe 3044 WerFault.exe 3044 WerFault.exe -
resource yara_rule behavioral1/memory/2320-0-0x0000000000400000-0x0000000000431000-memory.dmp vmprotect -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe File opened for modification C:\autorun.inf 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe File created F:\autorun.inf 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe File opened for modification F:\autorun.inf 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\a18467stva41a.dll 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\def26500aab6334ccd.dll 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2880 sc.exe 2212 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3044 2464 WerFault.exe 43 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1572 ipconfig.exe -
Kills process with taskkill 4 IoCs
pid Process 2488 taskkill.exe 2864 taskkill.exe 2592 taskkill.exe 2148 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 2464 rundll32.exe 2464 rundll32.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 480 Process not Found 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2592 taskkill.exe Token: SeDebugPrivilege 2488 taskkill.exe Token: SeDebugPrivilege 2864 taskkill.exe Token: SeDebugPrivilege 2148 taskkill.exe Token: SeDebugPrivilege 2464 rundll32.exe Token: SeDebugPrivilege 2464 rundll32.exe Token: SeDebugPrivilege 2464 rundll32.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2880 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 28 PID 2320 wrote to memory of 2880 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 28 PID 2320 wrote to memory of 2880 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 28 PID 2320 wrote to memory of 2880 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 28 PID 2320 wrote to memory of 2212 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 29 PID 2320 wrote to memory of 2212 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 29 PID 2320 wrote to memory of 2212 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 29 PID 2320 wrote to memory of 2212 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 29 PID 2320 wrote to memory of 2864 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 31 PID 2320 wrote to memory of 2864 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 31 PID 2320 wrote to memory of 2864 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 31 PID 2320 wrote to memory of 2864 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 31 PID 2320 wrote to memory of 2592 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 32 PID 2320 wrote to memory of 2592 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 32 PID 2320 wrote to memory of 2592 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 32 PID 2320 wrote to memory of 2592 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 32 PID 2320 wrote to memory of 2148 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 35 PID 2320 wrote to memory of 2148 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 35 PID 2320 wrote to memory of 2148 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 35 PID 2320 wrote to memory of 2148 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 35 PID 2320 wrote to memory of 2488 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 37 PID 2320 wrote to memory of 2488 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 37 PID 2320 wrote to memory of 2488 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 37 PID 2320 wrote to memory of 2488 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 37 PID 2320 wrote to memory of 2496 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 40 PID 2320 wrote to memory of 2496 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 40 PID 2320 wrote to memory of 2496 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 40 PID 2320 wrote to memory of 2496 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 40 PID 2320 wrote to memory of 2464 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 43 PID 2320 wrote to memory of 2464 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 43 PID 2320 wrote to memory of 2464 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 43 PID 2320 wrote to memory of 2464 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 43 PID 2320 wrote to memory of 2464 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 43 PID 2320 wrote to memory of 2464 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 43 PID 2320 wrote to memory of 2464 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 43 PID 2464 wrote to memory of 3044 2464 rundll32.exe 44 PID 2464 wrote to memory of 3044 2464 rundll32.exe 44 PID 2464 wrote to memory of 3044 2464 rundll32.exe 44 PID 2464 wrote to memory of 3044 2464 rundll32.exe 44 PID 2320 wrote to memory of 1572 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 45 PID 2320 wrote to memory of 1572 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 45 PID 2320 wrote to memory of 1572 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 45 PID 2320 wrote to memory of 1572 2320 1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1148dd1cc69dc62df9c3686c8e126c4e_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\sc.exesc config ekrn start= disabled2⤵
- Launches sc.exe
PID:2880
-
-
C:\Windows\SysWOW64\sc.exesc config rsravmon start= disabled2⤵
- Launches sc.exe
PID:2212
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ekrn.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im egui.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 360sd.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 360sd_se.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\SysWOW64\cacls.execacls C:\Users\Admin\AppData\Local\Temp\ /e /p everyone:f cacls "C:\Windows" /e /p everyone:f2⤵PID:2496
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\system32\a18467stva41a.dll, droqp2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 3203⤵
- Loads dropped DLL
- Program crash
PID:3044
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all2⤵
- Gathers network information
PID:1572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5c33c88aa771dd3a019608c0dfe47bdb2
SHA194f5b9d14bc7506dce737ceb7db192942d311907
SHA25656850456721c2cacd7040f08e0f86b278423a9a3264cf4d4971d186b991db713
SHA512c9a9327c69e3fa2a133aece1d2b9873f21986207946690b98f91f528bdd0867026467a9bc286d509f27c13ba6c5efd3df128df2925cfa037bb0496adbb24bfb6