Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 08:46
Static task
static1
Behavioral task
behavioral1
Sample
1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
1980712458a4b2b97eba5f0cfdbca6ab
-
SHA1
8912771a25ba4e073b0b774a4d7420ef886089fe
-
SHA256
b38dc61a16db2a727f5bce5610614bc986d2920cc170d565a040805373db9b66
-
SHA512
c87a3fd4a94485a69906803ac5a7d264958e512e15b08fc5964cf42b3a0e4762135d71b0d093609baf977e3ba242143453a8e27d558143760cf97bb60a8530c7
-
SSDEEP
49152:1AJYJOsBshId2l9SaxlK/HrY2oR2GveCQL+iRHy:GJYJrKh2vHrVoRDv+L+iRS
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2744 cmd.exe -
Executes dropped EXE 7 IoCs
Processes:
foto.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exepid process 2588 foto.exe 2056 rutserv.exe 2288 rutserv.exe 2548 rutserv.exe 2256 rfusclient.exe 2312 rfusclient.exe 1160 rfusclient.exe -
Loads dropped DLL 11 IoCs
Processes:
WScript.execmd.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exepid process 1708 WScript.exe 2492 cmd.exe 2056 rutserv.exe 2492 cmd.exe 2288 rutserv.exe 2548 rutserv.exe 2548 rutserv.exe 2548 rutserv.exe 2256 rfusclient.exe 2312 rfusclient.exe 1160 rfusclient.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\foto.exe upx behavioral1/memory/2588-11-0x0000000000400000-0x0000000000A87000-memory.dmp upx behavioral1/memory/2588-146-0x0000000000400000-0x0000000000A87000-memory.dmp upx -
Drops file in System32 directory 10 IoCs
Processes:
cmd.exeattrib.exeattrib.exedescription ioc process File created C:\Windows\SysWOW64\rfusclient.exe cmd.exe File opened for modification C:\Windows\SysWOW64\rutserv.exe attrib.exe File opened for modification C:\Windows\SysWOW64\HookDrv.dll cmd.exe File created C:\Windows\SysWOW64\rversionlib.dll cmd.exe File opened for modification C:\Windows\SysWOW64\rfusclient.exe cmd.exe File created C:\Windows\SysWOW64\rutserv.exe cmd.exe File opened for modification C:\Windows\SysWOW64\rutserv.exe cmd.exe File opened for modification C:\Windows\SysWOW64\rfusclient.exe attrib.exe File created C:\Windows\SysWOW64\HookDrv.dll cmd.exe File opened for modification C:\Windows\SysWOW64\rversionlib.dll cmd.exe -
Drops file in Windows directory 2 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\1.jpg cmd.exe File created C:\Windows\1.jpg cmd.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 2480 sc.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 828 regedit.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rutserv.exerfusclient.exepid process 2548 rutserv.exe 2548 rutserv.exe 2312 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rutserv.exerutserv.exerutserv.exedescription pid process Token: SeDebugPrivilege 2056 rutserv.exe Token: SeDebugPrivilege 2288 rutserv.exe Token: SeTakeOwnershipPrivilege 2548 rutserv.exe Token: SeTcbPrivilege 2548 rutserv.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 2908 DllHost.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exeWScript.exefoto.execmd.exerutserv.exerfusclient.exedescription pid process target process PID 2796 wrote to memory of 1708 2796 1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe WScript.exe PID 2796 wrote to memory of 1708 2796 1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe WScript.exe PID 2796 wrote to memory of 1708 2796 1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe WScript.exe PID 2796 wrote to memory of 1708 2796 1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe WScript.exe PID 1708 wrote to memory of 2588 1708 WScript.exe foto.exe PID 1708 wrote to memory of 2588 1708 WScript.exe foto.exe PID 1708 wrote to memory of 2588 1708 WScript.exe foto.exe PID 1708 wrote to memory of 2588 1708 WScript.exe foto.exe PID 2796 wrote to memory of 2744 2796 1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe cmd.exe PID 2796 wrote to memory of 2744 2796 1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe cmd.exe PID 2796 wrote to memory of 2744 2796 1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe cmd.exe PID 2796 wrote to memory of 2744 2796 1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe cmd.exe PID 2588 wrote to memory of 2492 2588 foto.exe cmd.exe PID 2588 wrote to memory of 2492 2588 foto.exe cmd.exe PID 2588 wrote to memory of 2492 2588 foto.exe cmd.exe PID 2588 wrote to memory of 2492 2588 foto.exe cmd.exe PID 2492 wrote to memory of 2480 2492 cmd.exe sc.exe PID 2492 wrote to memory of 2480 2492 cmd.exe sc.exe PID 2492 wrote to memory of 2480 2492 cmd.exe sc.exe PID 2492 wrote to memory of 2480 2492 cmd.exe sc.exe PID 2492 wrote to memory of 2508 2492 cmd.exe attrib.exe PID 2492 wrote to memory of 2508 2492 cmd.exe attrib.exe PID 2492 wrote to memory of 2508 2492 cmd.exe attrib.exe PID 2492 wrote to memory of 2508 2492 cmd.exe attrib.exe PID 2492 wrote to memory of 1432 2492 cmd.exe attrib.exe PID 2492 wrote to memory of 1432 2492 cmd.exe attrib.exe PID 2492 wrote to memory of 1432 2492 cmd.exe attrib.exe PID 2492 wrote to memory of 1432 2492 cmd.exe attrib.exe PID 2492 wrote to memory of 828 2492 cmd.exe regedit.exe PID 2492 wrote to memory of 828 2492 cmd.exe regedit.exe PID 2492 wrote to memory of 828 2492 cmd.exe regedit.exe PID 2492 wrote to memory of 828 2492 cmd.exe regedit.exe PID 2492 wrote to memory of 2056 2492 cmd.exe rutserv.exe PID 2492 wrote to memory of 2056 2492 cmd.exe rutserv.exe PID 2492 wrote to memory of 2056 2492 cmd.exe rutserv.exe PID 2492 wrote to memory of 2056 2492 cmd.exe rutserv.exe PID 2492 wrote to memory of 2288 2492 cmd.exe rutserv.exe PID 2492 wrote to memory of 2288 2492 cmd.exe rutserv.exe PID 2492 wrote to memory of 2288 2492 cmd.exe rutserv.exe PID 2492 wrote to memory of 2288 2492 cmd.exe rutserv.exe PID 2548 wrote to memory of 2256 2548 rutserv.exe rfusclient.exe PID 2548 wrote to memory of 2256 2548 rutserv.exe rfusclient.exe PID 2548 wrote to memory of 2256 2548 rutserv.exe rfusclient.exe PID 2548 wrote to memory of 2256 2548 rutserv.exe rfusclient.exe PID 2548 wrote to memory of 2312 2548 rutserv.exe rfusclient.exe PID 2548 wrote to memory of 2312 2548 rutserv.exe rfusclient.exe PID 2548 wrote to memory of 2312 2548 rutserv.exe rfusclient.exe PID 2548 wrote to memory of 2312 2548 rutserv.exe rfusclient.exe PID 2312 wrote to memory of 1160 2312 rfusclient.exe rfusclient.exe PID 2312 wrote to memory of 1160 2312 rfusclient.exe rfusclient.exe PID 2312 wrote to memory of 1160 2312 rfusclient.exe rfusclient.exe PID 2312 wrote to memory of 1160 2312 rfusclient.exe rfusclient.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2508 attrib.exe 1432 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1980712458a4b2b97eba5f0cfdbca6ab_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\foto.exe"C:\Users\Admin\AppData\Local\Temp\foto.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1600.tmp\foto.bat" "4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\sc.exesc delete SharedAccess5⤵
- Launches sc.exe
PID:2480 -
C:\Windows\SysWOW64\attrib.exeattrib +h +s +r "C:\Windows\system32\rfusclient.exe"5⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:2508 -
C:\Windows\SysWOW64\attrib.exeattrib +h +s +r "C:\Windows\system32\rutserv.exe"5⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:1432 -
C:\Windows\SysWOW64\regedit.exeregedit /s hak.reg5⤵
- Runs .reg file with regedit
PID:828 -
C:\Windows\SysWOW64\rutserv.exe"C:\Windows\system32\rutserv.exe" /server /silentinstall5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\SysWOW64\rutserv.exe"C:\Windows\system32\rutserv.exe" /server /start5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
- Deletes itself
PID:2744
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2908
-
C:\Windows\SysWOW64\rutserv.exeC:\Windows\SysWOW64\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\rfusclient.exeC:\Windows\SysWOW64\rfusclient.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\rfusclient.exeC:\Windows\SysWOW64\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1160 -
C:\Windows\SysWOW64\rfusclient.exeC:\Windows\SysWOW64\rfusclient.exe /tray2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD542aeb1c40ec4668176a1a770cff134b6
SHA121064102b097093a73d1702f4f68b8c9c163948f
SHA256a014e91ebd5b3e06a988cd06b7ca476a9023b2adf45d519a246a995e4a088f91
SHA512c409964163fcf5064da9b6f3932c99ddc10e9d3268ae61194be6f5ec6d28bf101fa38b9788d1a9a827572065986e664d17adaf8828bf034706d4d55203d0c006
-
Filesize
144KB
MD5513066a38057079e232f5f99baef2b94
SHA1a6da9e87415b8918447ec361ba98703d12b4ee76
SHA25602dbea75e8dbcdfc12c6b92a6c08efad83d4ca742ed7aee393ab26cab0c58f9e
SHA51283a074bef57f78ede2488dd586b963b92837e17eea77ebd1464f3da06954ae8ca07f040089af0c257e2836611ae39424574bd365aea4a6318a2707e031cd31a5
-
Filesize
608B
MD5cf22baa288ca6610573d870d7f68889d
SHA18b438dc561765c884e8fb6fffdc81e861fd54b40
SHA256733b92c89a2f9b74d2d8b738faeb472bcbfc1668c48be4d1c35c9d54ffc55d58
SHA512be9ee8f097c9d43dd5b74971171a12e1ba1a529bb7fe380c9d48d2840c34591839ad7966ddce4ef7e22ef28b270acdb7854dc2861878ac7e29d7d013901cc7d8
-
Filesize
14KB
MD5d6e314a2bd764424fc9eadb6287626c9
SHA10e4f5b516026149add33a466257cb8925b6aa857
SHA2566f4845a5e709853cc2f5a5821d44ca6f74919026e7f3f41178b19daf0bdb780a
SHA512ba79f21733439d14f41a9fc78ff02be4452c2b3cd217267135b055ea3b98068e4cc47cebd74fb7a5713ce91a247546fecb864ce2585b405a1f9422dc009c49be
-
Filesize
2.8MB
MD5f449d06b49e258b04bba5eaeab748aa2
SHA16de5e6fba23c681c949240f5435fba33e3034d27
SHA256c18c2bbafdab4e5974ede842bd4bd854deff9135356681ff84ba2f1c047e7c7a
SHA512b6441ae86e4f65e9d85a75312cc27e0bcc2992c89691be239e787ca28e69409a074e6ae0d1d45f518743fa60c664b85d120786dd57b6faf25bad6cb0b1a90e48
-
Filesize
3.2MB
MD511fe69e28c7fc7e975b6485520174de8
SHA1b2e6f974adcec6b18e54e27f83805d8ce3560dea
SHA2562d3c994449f1b13d55e22bbbae4bf36269f21a726c681271ecffc9fcab8f0425
SHA51225a05981afc787d48bd78a2e6a5df28040bb485fc18cccde68c9337597cabff5c70258bba7cbed802075800c9918664cadae775346887544ca7c9a3829f18aa9
-
Filesize
310KB
MD516ae96fc0134c9163a404aca5c8115da
SHA1a4818324c392a53166d42c879cdb70f0efea46af
SHA25616e801ff476b93016930ec879181661dc7d098424d4e383935b186e5eb5c5c6d
SHA51298eeb9307ad75459364cd67f341be46578d15907d657fc5c49d37a04e1fc71e6ed23d46865fca085b82027eeeebcb546861a43f6cbba537b63075224e9fb0c13
-
Filesize
264B
MD513430c0f8360456f801f9bc372e7624c
SHA18665531e12a3de10e21f3f450ecdbcc9f1b5f124
SHA256bab6df9bb282727cd467627d63a05202808951fe9c205e2f8d0849e262d9fa67
SHA512f6dc4e2f776b29a014de4eebc02fbc9de1eb9a96f52e799cd3660afa91ae66b60dcb0155a355a266dbe87097611bd8b624b4ff5b6308bf9bda1e189b0af627ce
-
Filesize
1.6MB
MD53566e183de87939f2d75c4c9ae208465
SHA144ac8d4a7206801522c80f7a6ee6c282a0359b0f
SHA2564af6351a3440aa4ee3c5ad4d94fec406d0b8f9d11e06449562349ed4424c7678
SHA512a49639505c5701d4f3599e0908dc55c4b6350c5ed3e2ab03af56aeae8c1623b373cadfc6ed6da4f2f062b9a7c9ab4207bcfa86e82cdf1646f2755cd4c297a007
-
Filesize
212B
MD5a3d0a0d32ce3c60f0b205d882435f8ac
SHA1b28bad3ef81216f14fd7a262a3ebc2258fcc7d9d
SHA256e7455abc7bdc2d705b007e9b0332e7c8d3793492f33324c7dd10b0a0513c2e3f
SHA512ea53f374b3291ec6ede586250ba787567c37c5f44014d347ac02612071c69f51e8499f2b26e6a7e957f5ca1749495f5c7398f479dd0dbe9bd29e95fa15843af9