Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 21:21
Static task
static1
Behavioral task
behavioral1
Sample
13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe
-
Size
960KB
-
MD5
13803ebdba0993bab5f7229fd955972b
-
SHA1
a5e977d4dcdd53be60f0f48910d1b92ea7628202
-
SHA256
bbd2e79112498c9b3bf4c64a4843e7f54a260136846fcb3bbf123eee9c50225f
-
SHA512
457d97542f2114f95a526ab771fca972c6cc41bc07aa4106fa75973ef429f7562dc2e0cce0b146b82648a21459424ec0a395923394cfe5ca4fba05479c60b391
-
SSDEEP
12288:7kum12MecQTjV49hdWtuL+mi18X/x0JYBOVDaW9Aqhbfxb+FM9TqCPC04:hMXecGV4dRL+/1865VD7AAbJKuO
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FacbookUpdate.exe 13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FacbookUpdate.exe 13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe -
Executes dropped EXE 2 IoCs
Processes:
Service.exe13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exepid process 2076 Service.exe 2808 13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe -
Loads dropped DLL 3 IoCs
Processes:
13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exepid process 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exedescription pid process target process PID 2896 set thread context of 2076 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
Service.exedescription pid process Token: SeIncreaseQuotaPrivilege 2076 Service.exe Token: SeSecurityPrivilege 2076 Service.exe Token: SeTakeOwnershipPrivilege 2076 Service.exe Token: SeLoadDriverPrivilege 2076 Service.exe Token: SeSystemProfilePrivilege 2076 Service.exe Token: SeSystemtimePrivilege 2076 Service.exe Token: SeProfSingleProcessPrivilege 2076 Service.exe Token: SeIncBasePriorityPrivilege 2076 Service.exe Token: SeCreatePagefilePrivilege 2076 Service.exe Token: SeBackupPrivilege 2076 Service.exe Token: SeRestorePrivilege 2076 Service.exe Token: SeShutdownPrivilege 2076 Service.exe Token: SeDebugPrivilege 2076 Service.exe Token: SeSystemEnvironmentPrivilege 2076 Service.exe Token: SeChangeNotifyPrivilege 2076 Service.exe Token: SeRemoteShutdownPrivilege 2076 Service.exe Token: SeUndockPrivilege 2076 Service.exe Token: SeManageVolumePrivilege 2076 Service.exe Token: SeImpersonatePrivilege 2076 Service.exe Token: SeCreateGlobalPrivilege 2076 Service.exe Token: 33 2076 Service.exe Token: 34 2076 Service.exe Token: 35 2076 Service.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Service.exepid process 2076 Service.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exevbc.exedescription pid process target process PID 2896 wrote to memory of 2076 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe Service.exe PID 2896 wrote to memory of 2076 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe Service.exe PID 2896 wrote to memory of 2076 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe Service.exe PID 2896 wrote to memory of 2076 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe Service.exe PID 2896 wrote to memory of 2076 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe Service.exe PID 2896 wrote to memory of 2076 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe Service.exe PID 2896 wrote to memory of 2076 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe Service.exe PID 2896 wrote to memory of 2076 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe Service.exe PID 2896 wrote to memory of 2076 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe Service.exe PID 2896 wrote to memory of 2076 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe Service.exe PID 2896 wrote to memory of 2076 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe Service.exe PID 2896 wrote to memory of 2076 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe Service.exe PID 2896 wrote to memory of 2076 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe Service.exe PID 2896 wrote to memory of 2748 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe vbc.exe PID 2896 wrote to memory of 2748 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe vbc.exe PID 2896 wrote to memory of 2748 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe vbc.exe PID 2896 wrote to memory of 2748 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe vbc.exe PID 2748 wrote to memory of 2344 2748 vbc.exe cvtres.exe PID 2748 wrote to memory of 2344 2748 vbc.exe cvtres.exe PID 2748 wrote to memory of 2344 2748 vbc.exe cvtres.exe PID 2748 wrote to memory of 2344 2748 vbc.exe cvtres.exe PID 2896 wrote to memory of 2808 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe 13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe PID 2896 wrote to memory of 2808 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe 13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe PID 2896 wrote to memory of 2808 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe 13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe PID 2896 wrote to memory of 2808 2896 13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe 13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\13803ebdba0993bab5f7229fd955972b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\plugtemp\Service.exeC:\Users\Admin\AppData\Local\Temp\\plugtemp\Service.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2076 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tasmovav.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AD0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3ACF.tmp"3⤵PID:2344
-
C:\Users\Admin\AppData\Roaming\13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe"C:\Users\Admin\AppData\Roaming\13803ebdba0993bab5f7229fd955972b_JaffaCakes1181.exe"2⤵
- Drops startup file
- Executes dropped EXE
PID:2808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59fb5a1f7edbd6f39e72288191f93f550
SHA18d9456cecfc37a677313536042a740495ba1b8d2
SHA256a998adad2854730f7be5f574289d8683444411fa4408da14292accc0556b7f31
SHA5121ebaa596f08096240249f211601da6d1ab9a6f34698ff5f36d2b499a5d52dabd378ad41b0cab30eb2511f214befbbfdb7ca3f9327bb621127534bcb65ef5c791
-
Filesize
348B
MD5d007d837b472eb92cdc46f3a1ad562ee
SHA15b4774056e716551e93e1f6aa3da377713507430
SHA2563abccaba5ad2e2f2b71694b24d616ebc2bcb93cdcbd1c74cbefa8b2948d8a44a
SHA512a0054bb92d69daf3a27ff5878cb86018cd7606dcf45195daf7a983580d3407328f6c19aad34375047664d7167922461368e9354a3a7310691e7ee28d05fb45cd
-
Filesize
235B
MD5a01e48c47091811bfe2ee385d259b9ff
SHA15796e5b2a0fb93da40a6512935b01be62957cb28
SHA2561779ab68c145ea285bd6ffc93c34793fa3cf330fbd2d1dee5bf4bdc84b69c083
SHA5125c22cd87a220b3dca2352d5c3db544b8f93d9796509bc4584fcf26530d14d8e02a5ca8efb4a518d8e367c1d9bd21aee65994b5ec6a3f95c18fd524b09a1a6675
-
Filesize
804B
MD5f61654d85e74e9ca8434cc7680914cb7
SHA1030242438513a7c3c199b219382aa97c02cfcff7
SHA25679baf021db0ac4da858028a3fa9043bd9a93e35f3e3d58b0f7ee9505d1659fe4
SHA51229835920b2e4d19ba4c06f1b367185fc3a3b27d56972fea95a2a4ddd388bf83e64c2fdc34f4db43e42a83469851412333f80986e5b56858de220ad898e2f19c0
-
Filesize
960KB
MD513803ebdba0993bab5f7229fd955972b
SHA1a5e977d4dcdd53be60f0f48910d1b92ea7628202
SHA256bbd2e79112498c9b3bf4c64a4843e7f54a260136846fcb3bbf123eee9c50225f
SHA512457d97542f2114f95a526ab771fca972c6cc41bc07aa4106fa75973ef429f7562dc2e0cce0b146b82648a21459424ec0a395923394cfe5ca4fba05479c60b391
-
Filesize
6KB
MD5db253db1f3be73caf2af745cc7038fcc
SHA113e2cfc7aa0ea7661831dee7bf9f6df05b5b489c
SHA256e0a223c216fb18facdd7ad79d7d78b725d2b4391e2cc9162d1206c0607102b16
SHA5121decc2db0ccea9bdd3d040951e26187ac9f5dbe660a61af2cc90a23e72b7cd3efdcd1cae7392a6d2cd6cc0b9d7bbc34fa45900e2ddea44f231de71a1d346c5c3
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98