Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 18:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe
Resource
win7-20240508-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe
Resource
win10v2004-20240611-en
7 signatures
150 seconds
General
-
Target
171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe
-
Size
927KB
-
MD5
171bef4ec12a568a8496e2c39e5f4e8e
-
SHA1
d019dd3f9004920f13b20e5d95586d7a384ebb0b
-
SHA256
85112b77cbc006585648662b56b53fa526093e2689398078ff7ee14d0929bf01
-
SHA512
e58a473c16c973f5f29bddfb93dbdc36440e63869ecd7af32f0761f2e38e73088b54e5f88d6183ab34606b5a0e6444b5f479c5e9f0f5092c525b824f411bc847
-
SSDEEP
24576:wFC/G4K2wSSSMjwvgFS5bJ5TMhmvviZ46hq+:wFR4/lgiKaIq
Score
10/10
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup Name = "C:\\Users\\Admin\\AppData\\Roaming\\teest.exe" 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exedescription pid process target process PID 2064 set thread context of 2688 2064 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2688 vbc.exe Token: SeSecurityPrivilege 2688 vbc.exe Token: SeTakeOwnershipPrivilege 2688 vbc.exe Token: SeLoadDriverPrivilege 2688 vbc.exe Token: SeSystemProfilePrivilege 2688 vbc.exe Token: SeSystemtimePrivilege 2688 vbc.exe Token: SeProfSingleProcessPrivilege 2688 vbc.exe Token: SeIncBasePriorityPrivilege 2688 vbc.exe Token: SeCreatePagefilePrivilege 2688 vbc.exe Token: SeBackupPrivilege 2688 vbc.exe Token: SeRestorePrivilege 2688 vbc.exe Token: SeShutdownPrivilege 2688 vbc.exe Token: SeDebugPrivilege 2688 vbc.exe Token: SeSystemEnvironmentPrivilege 2688 vbc.exe Token: SeChangeNotifyPrivilege 2688 vbc.exe Token: SeRemoteShutdownPrivilege 2688 vbc.exe Token: SeUndockPrivilege 2688 vbc.exe Token: SeManageVolumePrivilege 2688 vbc.exe Token: SeImpersonatePrivilege 2688 vbc.exe Token: SeCreateGlobalPrivilege 2688 vbc.exe Token: 33 2688 vbc.exe Token: 34 2688 vbc.exe Token: 35 2688 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 2688 vbc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exedescription pid process target process PID 2064 wrote to memory of 2688 2064 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe vbc.exe PID 2064 wrote to memory of 2688 2064 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe vbc.exe PID 2064 wrote to memory of 2688 2064 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe vbc.exe PID 2064 wrote to memory of 2688 2064 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe vbc.exe PID 2064 wrote to memory of 2688 2064 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe vbc.exe PID 2064 wrote to memory of 2688 2064 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe vbc.exe PID 2064 wrote to memory of 2688 2064 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe vbc.exe PID 2064 wrote to memory of 2688 2064 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe vbc.exe PID 2064 wrote to memory of 2688 2064 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe vbc.exe PID 2064 wrote to memory of 2688 2064 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe vbc.exe PID 2064 wrote to memory of 2688 2064 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe vbc.exe PID 2064 wrote to memory of 2688 2064 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe vbc.exe PID 2064 wrote to memory of 2688 2064 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe vbc.exe PID 2064 wrote to memory of 2688 2064 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe vbc.exe PID 2064 wrote to memory of 2688 2064 171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\171bef4ec12a568a8496e2c39e5f4e8e_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2688