Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 21:24
Behavioral task
behavioral1
Sample
17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe
-
Size
797KB
-
MD5
17952d6d362fb10f6feba49016730c98
-
SHA1
5b8389cde6345a369a25bd2ae92c54392048b1da
-
SHA256
838f0dfabc78e448aa17c69ad07715f89532ff8deb4081e4952179aafc4a44e2
-
SHA512
caa9bbd20df19c6ce3663621a23ea68557ede61cf7249d60df626b699869ccd624534d6edbd73d46e3bbd7fac8460e6d66c052a5aa5e4fb1262cac38dbbb1be0
-
SSDEEP
12288:sFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0c/q:M3nbWmJVJFwSddIXvfhqbiaxvRFq
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2664 attrib.exe 2928 attrib.exe -
Processes:
resource yara_rule behavioral1/memory/2972-0-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral1/memory/2704-19-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral1/memory/2972-20-0x0000000000400000-0x00000000004C9000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
17952d6d362fb10f6feba49016730c98_JaffaCakes118.exedescription pid process target process PID 2972 set thread context of 2704 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 2704 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
17952d6d362fb10f6feba49016730c98_JaffaCakes118.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeSecurityPrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeSystemtimePrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeBackupPrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeRestorePrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeShutdownPrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeDebugPrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeUndockPrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeManageVolumePrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeImpersonatePrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: 33 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: 34 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: 35 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2704 iexplore.exe Token: SeSecurityPrivilege 2704 iexplore.exe Token: SeTakeOwnershipPrivilege 2704 iexplore.exe Token: SeLoadDriverPrivilege 2704 iexplore.exe Token: SeSystemProfilePrivilege 2704 iexplore.exe Token: SeSystemtimePrivilege 2704 iexplore.exe Token: SeProfSingleProcessPrivilege 2704 iexplore.exe Token: SeIncBasePriorityPrivilege 2704 iexplore.exe Token: SeCreatePagefilePrivilege 2704 iexplore.exe Token: SeBackupPrivilege 2704 iexplore.exe Token: SeRestorePrivilege 2704 iexplore.exe Token: SeShutdownPrivilege 2704 iexplore.exe Token: SeDebugPrivilege 2704 iexplore.exe Token: SeSystemEnvironmentPrivilege 2704 iexplore.exe Token: SeChangeNotifyPrivilege 2704 iexplore.exe Token: SeRemoteShutdownPrivilege 2704 iexplore.exe Token: SeUndockPrivilege 2704 iexplore.exe Token: SeManageVolumePrivilege 2704 iexplore.exe Token: SeImpersonatePrivilege 2704 iexplore.exe Token: SeCreateGlobalPrivilege 2704 iexplore.exe Token: 33 2704 iexplore.exe Token: 34 2704 iexplore.exe Token: 35 2704 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2704 iexplore.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
17952d6d362fb10f6feba49016730c98_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 2972 wrote to memory of 2796 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe cmd.exe PID 2972 wrote to memory of 2796 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe cmd.exe PID 2972 wrote to memory of 2796 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe cmd.exe PID 2972 wrote to memory of 2796 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe cmd.exe PID 2972 wrote to memory of 2660 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe cmd.exe PID 2972 wrote to memory of 2660 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe cmd.exe PID 2972 wrote to memory of 2660 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe cmd.exe PID 2972 wrote to memory of 2660 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe cmd.exe PID 2972 wrote to memory of 2704 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe iexplore.exe PID 2972 wrote to memory of 2704 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe iexplore.exe PID 2972 wrote to memory of 2704 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe iexplore.exe PID 2972 wrote to memory of 2704 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe iexplore.exe PID 2972 wrote to memory of 2704 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe iexplore.exe PID 2972 wrote to memory of 2704 2972 17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe iexplore.exe PID 2660 wrote to memory of 2664 2660 cmd.exe attrib.exe PID 2660 wrote to memory of 2664 2660 cmd.exe attrib.exe PID 2660 wrote to memory of 2664 2660 cmd.exe attrib.exe PID 2660 wrote to memory of 2664 2660 cmd.exe attrib.exe PID 2796 wrote to memory of 2928 2796 cmd.exe attrib.exe PID 2796 wrote to memory of 2928 2796 cmd.exe attrib.exe PID 2796 wrote to memory of 2928 2796 cmd.exe attrib.exe PID 2796 wrote to memory of 2928 2796 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2664 attrib.exe 2928 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2928 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2664 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101B
MD5dbff1287eec172111832ecaac475fc98
SHA1e8f43497ddf34a7d0f23d49e5699661bb8f05d5e
SHA2568c2e45a0bf8926a91a493c387075f515f20c5e71b28da9338c6fab0b13334018
SHA51206ccfc09b0bdcd25c2c45913ed24e816b47dfb1ceac13f14a7df354fda0d526c05ad0f6fbc95bc4ae78bebb9ad026adbced1c97b370b4f4bfa5bf9034afb5989
-
Filesize
50B
MD5b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701