Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 22:47
Static task
static1
Behavioral task
behavioral1
Sample
17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe
-
Size
866KB
-
MD5
17d02350b80c3c03c0be2b1acab650d1
-
SHA1
775181f6686d21806ba7e6fe4ae1ecdc82d0157f
-
SHA256
de8636c5d87d276a4971eab3cbe5d3d3bb18618e8a24ae27b154e1548bd438a4
-
SHA512
e61b19867eb0aff9d43ab7f13ac73217d0bd244e8b908eb902940315d77c3df67fbde40f7d80d602d8f491065fdb98791deb5f3fd4c122ef010f09616d1aaade
-
SSDEEP
3072:dBUyU7/NUauKvxUjUYqDbf5PBb6Tx3zU5IYUeyUwgUn1UdjgUtGU4rZ/ME+h0UIx:CQdx8nHZtwjWK3FFQgzv1x5
Malware Config
Extracted
asyncrat
0.5.7B
Default
hgjvhnfgg.duckdns.org:8057
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe\"" 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe" 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe" 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exepid process 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exedescription pid process target process PID 1884 set thread context of 3004 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2132 timeout.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exepid process 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.execmd.exedescription pid process target process PID 1884 wrote to memory of 3036 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe cmd.exe PID 1884 wrote to memory of 3036 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe cmd.exe PID 1884 wrote to memory of 3036 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe cmd.exe PID 1884 wrote to memory of 3036 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe cmd.exe PID 3036 wrote to memory of 2132 3036 cmd.exe timeout.exe PID 3036 wrote to memory of 2132 3036 cmd.exe timeout.exe PID 3036 wrote to memory of 2132 3036 cmd.exe timeout.exe PID 3036 wrote to memory of 2132 3036 cmd.exe timeout.exe PID 1884 wrote to memory of 2144 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe PID 1884 wrote to memory of 2144 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe PID 1884 wrote to memory of 2144 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe PID 1884 wrote to memory of 2144 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe PID 1884 wrote to memory of 2152 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe PID 1884 wrote to memory of 2152 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe PID 1884 wrote to memory of 2152 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe PID 1884 wrote to memory of 2152 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe PID 1884 wrote to memory of 3004 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe PID 1884 wrote to memory of 3004 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe PID 1884 wrote to memory of 3004 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe PID 1884 wrote to memory of 3004 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe PID 1884 wrote to memory of 3004 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe PID 1884 wrote to memory of 3004 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe PID 1884 wrote to memory of 3004 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe PID 1884 wrote to memory of 3004 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe PID 1884 wrote to memory of 3004 1884 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe 17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe"2⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe"2⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17d02350b80c3c03c0be2b1acab650d1_JaffaCakes118.exe"2⤵PID:3004