Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 06:10
Static task
static1
Behavioral task
behavioral1
Sample
14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe
-
Size
341KB
-
MD5
14f204348c8a1092929f8de9140a61fc
-
SHA1
2dd400491f442384bad0a653d16a32b4890bfc88
-
SHA256
44c4b503e0e057900c9480c6db018d3a4fd36a963bc573ed9cdeffe8d9254d70
-
SHA512
49e9769fe5ab587baa8c5ba9c71712fb86b324fd1676057ac87e8009ae9728e672de8c92cd10dd190b39b5de353cfe1186c460ff572f4b53ffa21df1ac44f9fa
-
SSDEEP
6144:hFtTlXtdNCMHjDIlqePRJSnteu0tGPJd4Q1FDea7ID5HCFJOZ/FrOFg:BxX7NCAjjePRkouFP8gpfJOZ9a
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
lssam.exespolsv.exepid process 2824 lssam.exe 2696 spolsv.exe -
Loads dropped DLL 4 IoCs
Processes:
14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exelssam.exepid process 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2824 lssam.exe -
Processes:
resource yara_rule behavioral1/memory/1600-9-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/1600-16-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/1600-15-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/1600-11-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/1600-17-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/1600-19-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/1600-22-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/1600-21-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/1600-20-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/1600-24-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2844-44-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2844-48-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2844-47-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2844-46-0x0000000000400000-0x00000000004C7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
lssam.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\lssam.exe" lssam.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exeAppLaunch.exespolsv.exeAppLaunch.exedescription pid process target process PID 1752 set thread context of 1600 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 1600 set thread context of 2740 1600 AppLaunch.exe iexplore.exe PID 2696 set thread context of 2844 2696 spolsv.exe AppLaunch.exe PID 2844 set thread context of 2532 2844 AppLaunch.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exelssam.exespolsv.exepid process 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe 2824 lssam.exe 2696 spolsv.exe 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exeAppLaunch.exelssam.exespolsv.exeAppLaunch.exedescription pid process Token: SeDebugPrivilege 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1600 AppLaunch.exe Token: SeSecurityPrivilege 1600 AppLaunch.exe Token: SeTakeOwnershipPrivilege 1600 AppLaunch.exe Token: SeLoadDriverPrivilege 1600 AppLaunch.exe Token: SeSystemProfilePrivilege 1600 AppLaunch.exe Token: SeSystemtimePrivilege 1600 AppLaunch.exe Token: SeProfSingleProcessPrivilege 1600 AppLaunch.exe Token: SeIncBasePriorityPrivilege 1600 AppLaunch.exe Token: SeCreatePagefilePrivilege 1600 AppLaunch.exe Token: SeBackupPrivilege 1600 AppLaunch.exe Token: SeRestorePrivilege 1600 AppLaunch.exe Token: SeShutdownPrivilege 1600 AppLaunch.exe Token: SeDebugPrivilege 1600 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 1600 AppLaunch.exe Token: SeChangeNotifyPrivilege 1600 AppLaunch.exe Token: SeRemoteShutdownPrivilege 1600 AppLaunch.exe Token: SeUndockPrivilege 1600 AppLaunch.exe Token: SeManageVolumePrivilege 1600 AppLaunch.exe Token: SeImpersonatePrivilege 1600 AppLaunch.exe Token: SeCreateGlobalPrivilege 1600 AppLaunch.exe Token: 33 1600 AppLaunch.exe Token: 34 1600 AppLaunch.exe Token: 35 1600 AppLaunch.exe Token: SeDebugPrivilege 2824 lssam.exe Token: SeDebugPrivilege 2696 spolsv.exe Token: SeIncreaseQuotaPrivilege 2844 AppLaunch.exe Token: SeSecurityPrivilege 2844 AppLaunch.exe Token: SeTakeOwnershipPrivilege 2844 AppLaunch.exe Token: SeLoadDriverPrivilege 2844 AppLaunch.exe Token: SeSystemProfilePrivilege 2844 AppLaunch.exe Token: SeSystemtimePrivilege 2844 AppLaunch.exe Token: SeProfSingleProcessPrivilege 2844 AppLaunch.exe Token: SeIncBasePriorityPrivilege 2844 AppLaunch.exe Token: SeCreatePagefilePrivilege 2844 AppLaunch.exe Token: SeBackupPrivilege 2844 AppLaunch.exe Token: SeRestorePrivilege 2844 AppLaunch.exe Token: SeShutdownPrivilege 2844 AppLaunch.exe Token: SeDebugPrivilege 2844 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 2844 AppLaunch.exe Token: SeChangeNotifyPrivilege 2844 AppLaunch.exe Token: SeRemoteShutdownPrivilege 2844 AppLaunch.exe Token: SeUndockPrivilege 2844 AppLaunch.exe Token: SeManageVolumePrivilege 2844 AppLaunch.exe Token: SeImpersonatePrivilege 2844 AppLaunch.exe Token: SeCreateGlobalPrivilege 2844 AppLaunch.exe Token: 33 2844 AppLaunch.exe Token: 34 2844 AppLaunch.exe Token: 35 2844 AppLaunch.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exeAppLaunch.exelssam.exespolsv.exeAppLaunch.exedescription pid process target process PID 1752 wrote to memory of 1600 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 1752 wrote to memory of 1600 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 1752 wrote to memory of 1600 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 1752 wrote to memory of 1600 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 1752 wrote to memory of 1600 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 1752 wrote to memory of 1600 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 1752 wrote to memory of 1600 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 1752 wrote to memory of 1600 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 1752 wrote to memory of 1600 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 1752 wrote to memory of 1600 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 1752 wrote to memory of 1600 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe AppLaunch.exe PID 1600 wrote to memory of 2740 1600 AppLaunch.exe iexplore.exe PID 1600 wrote to memory of 2740 1600 AppLaunch.exe iexplore.exe PID 1600 wrote to memory of 2740 1600 AppLaunch.exe iexplore.exe PID 1600 wrote to memory of 2740 1600 AppLaunch.exe iexplore.exe PID 1600 wrote to memory of 2740 1600 AppLaunch.exe iexplore.exe PID 1600 wrote to memory of 2740 1600 AppLaunch.exe iexplore.exe PID 1600 wrote to memory of 2740 1600 AppLaunch.exe iexplore.exe PID 1600 wrote to memory of 2740 1600 AppLaunch.exe iexplore.exe PID 1600 wrote to memory of 2740 1600 AppLaunch.exe iexplore.exe PID 1752 wrote to memory of 2824 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe lssam.exe PID 1752 wrote to memory of 2824 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe lssam.exe PID 1752 wrote to memory of 2824 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe lssam.exe PID 1752 wrote to memory of 2824 1752 14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe lssam.exe PID 2824 wrote to memory of 2696 2824 lssam.exe spolsv.exe PID 2824 wrote to memory of 2696 2824 lssam.exe spolsv.exe PID 2824 wrote to memory of 2696 2824 lssam.exe spolsv.exe PID 2824 wrote to memory of 2696 2824 lssam.exe spolsv.exe PID 2696 wrote to memory of 2844 2696 spolsv.exe AppLaunch.exe PID 2696 wrote to memory of 2844 2696 spolsv.exe AppLaunch.exe PID 2696 wrote to memory of 2844 2696 spolsv.exe AppLaunch.exe PID 2696 wrote to memory of 2844 2696 spolsv.exe AppLaunch.exe PID 2696 wrote to memory of 2844 2696 spolsv.exe AppLaunch.exe PID 2696 wrote to memory of 2844 2696 spolsv.exe AppLaunch.exe PID 2696 wrote to memory of 2844 2696 spolsv.exe AppLaunch.exe PID 2696 wrote to memory of 2844 2696 spolsv.exe AppLaunch.exe PID 2696 wrote to memory of 2844 2696 spolsv.exe AppLaunch.exe PID 2696 wrote to memory of 2844 2696 spolsv.exe AppLaunch.exe PID 2696 wrote to memory of 2844 2696 spolsv.exe AppLaunch.exe PID 2844 wrote to memory of 2532 2844 AppLaunch.exe iexplore.exe PID 2844 wrote to memory of 2532 2844 AppLaunch.exe iexplore.exe PID 2844 wrote to memory of 2532 2844 AppLaunch.exe iexplore.exe PID 2844 wrote to memory of 2532 2844 AppLaunch.exe iexplore.exe PID 2844 wrote to memory of 2532 2844 AppLaunch.exe iexplore.exe PID 2844 wrote to memory of 2532 2844 AppLaunch.exe iexplore.exe PID 2844 wrote to memory of 2532 2844 AppLaunch.exe iexplore.exe PID 2844 wrote to memory of 2532 2844 AppLaunch.exe iexplore.exe PID 2844 wrote to memory of 2532 2844 AppLaunch.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\14f204348c8a1092929f8de9140a61fc_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\System\lssam.exe"C:\Users\Admin\AppData\Local\Temp\System\lssam.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵PID:2532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341KB
MD514f204348c8a1092929f8de9140a61fc
SHA12dd400491f442384bad0a653d16a32b4890bfc88
SHA25644c4b503e0e057900c9480c6db018d3a4fd36a963bc573ed9cdeffe8d9254d70
SHA51249e9769fe5ab587baa8c5ba9c71712fb86b324fd1676057ac87e8009ae9728e672de8c92cd10dd190b39b5de353cfe1186c460ff572f4b53ffa21df1ac44f9fa
-
Filesize
25KB
MD5b347591498c2c74cc3c23597cb1f34cc
SHA127054194904202938e3e7cdb10cf2c291767fdef
SHA25624ada6c187f2c3188bd3e437443822f4f87fd997d9cc8d6d4abf38ba28e8528b
SHA512e365f543b667ccc9b0fe5d3e5827e4df0f0f5a72676f3e7fc498ebe2f84d67d14db54d6742fdabe9c08004c6dce76d7befeac6b3f39ba1163663ae870ea973b6