Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 08:46
Behavioral task
behavioral1
Sample
11685dce1e91f778788830d7eece48de_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
11685dce1e91f778788830d7eece48de_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
11685dce1e91f778788830d7eece48de_JaffaCakes118.exe
-
Size
77KB
-
MD5
11685dce1e91f778788830d7eece48de
-
SHA1
9843a1f12e6b9026b1da5a0f31198c081ec7c45e
-
SHA256
399d231b8d6155b7eb56289b57e5065b7439da31f265ef423b7bcf61d45019e2
-
SHA512
68393b06b933c4af2b22789820c4416ec62b22ee21f61b12487af9bae03f86757dc2d07200e530c03c5e8a487a10405b41443d5a42f2113527da25c5a2755ffc
-
SSDEEP
1536:+5PM78Yn+qGOPRjtPGBWH5dRm1gwxCN7/GNQPifOorO4m4jcNhtRmXxiRFg5s2xH:MM78E/GiUWnRm+5rPifOorBm4wNhtRmJ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2496 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2724 Aqnticivei.exe 2668 Aqnticivei.exe -
Loads dropped DLL 2 IoCs
pid Process 2180 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 2180 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2180-0-0x0000000000400000-0x0000000000424000-memory.dmp vmprotect behavioral1/memory/2180-3-0x0000000000400000-0x0000000000424000-memory.dmp vmprotect behavioral1/files/0x000e000000014708-10.dat vmprotect behavioral1/memory/2724-13-0x0000000000400000-0x0000000000424000-memory.dmp vmprotect behavioral1/memory/2724-14-0x0000000000400000-0x0000000000424000-memory.dmp vmprotect behavioral1/memory/2180-15-0x0000000000400000-0x0000000000424000-memory.dmp vmprotect behavioral1/memory/2668-17-0x0000000000400000-0x0000000000424000-memory.dmp vmprotect behavioral1/memory/2724-19-0x0000000000400000-0x0000000000424000-memory.dmp vmprotect behavioral1/memory/2668-26-0x0000000000400000-0x0000000000424000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2180 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 2724 Aqnticivei.exe 2668 Aqnticivei.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2668 set thread context of 2512 2668 Aqnticivei.exe 31 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\Aqnticivei.exe 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\Aqnticivei.exe 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2180 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2724 2180 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 28 PID 2180 wrote to memory of 2724 2180 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 28 PID 2180 wrote to memory of 2724 2180 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 28 PID 2180 wrote to memory of 2724 2180 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 28 PID 2180 wrote to memory of 2496 2180 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 29 PID 2180 wrote to memory of 2496 2180 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 29 PID 2180 wrote to memory of 2496 2180 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 29 PID 2180 wrote to memory of 2496 2180 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 29 PID 2668 wrote to memory of 2512 2668 Aqnticivei.exe 31 PID 2668 wrote to memory of 2512 2668 Aqnticivei.exe 31 PID 2668 wrote to memory of 2512 2668 Aqnticivei.exe 31 PID 2668 wrote to memory of 2512 2668 Aqnticivei.exe 31 PID 2668 wrote to memory of 2512 2668 Aqnticivei.exe 31 PID 2668 wrote to memory of 2512 2668 Aqnticivei.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Program Files\Internet Explorer\Aqnticivei.exe"C:\Program Files\Internet Explorer\Aqnticivei.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\11685D~1.EXE > nul2⤵
- Deletes itself
PID:2496
-
-
C:\Program Files\Internet Explorer\Aqnticivei.exe"C:\Program Files\Internet Explorer\Aqnticivei.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe2⤵PID:2512
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD511685dce1e91f778788830d7eece48de
SHA19843a1f12e6b9026b1da5a0f31198c081ec7c45e
SHA256399d231b8d6155b7eb56289b57e5065b7439da31f265ef423b7bcf61d45019e2
SHA51268393b06b933c4af2b22789820c4416ec62b22ee21f61b12487af9bae03f86757dc2d07200e530c03c5e8a487a10405b41443d5a42f2113527da25c5a2755ffc