Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 09:06
Behavioral task
behavioral1
Sample
1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe
-
Size
782KB
-
MD5
1ab50a64b28eb24c4ba25cce1e4a10b3
-
SHA1
97e6fc6e2d7a39c54b07ccb2b7398d73ba287eba
-
SHA256
2f61675e9ea414fbad8c9f174b0318acc0e968d31cfdbc8f69443ec234a9c495
-
SHA512
00702a4917dc61c3c9882b88380462326a6abf571081d52bf3ae0679e2adaed84d2906dc63507e87485360f001406fc692da3391851d2c4371b4020877865a49
-
SSDEEP
12288:YOlx4kk9HKda4YfM/1T3PPSnPI2VAWNDTJHq9DIMTW8c10:YA4Ya1fQzPPSnPFqWtTJK9DIMTW8F
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
pid Process 2604 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2108 giizk.exe 2612 buucg.exe -
Loads dropped DLL 2 IoCs
pid Process 2408 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe 2108 giizk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe 2612 buucg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2612 buucg.exe Token: SeIncBasePriorityPrivilege 2612 buucg.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2108 2408 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe 28 PID 2408 wrote to memory of 2108 2408 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe 28 PID 2408 wrote to memory of 2108 2408 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe 28 PID 2408 wrote to memory of 2108 2408 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe 28 PID 2408 wrote to memory of 2604 2408 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe 29 PID 2408 wrote to memory of 2604 2408 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe 29 PID 2408 wrote to memory of 2604 2408 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe 29 PID 2408 wrote to memory of 2604 2408 1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe 29 PID 2108 wrote to memory of 2612 2108 giizk.exe 33 PID 2108 wrote to memory of 2612 2108 giizk.exe 33 PID 2108 wrote to memory of 2612 2108 giizk.exe 33 PID 2108 wrote to memory of 2612 2108 giizk.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ab50a64b28eb24c4ba25cce1e4a10b3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\giizk.exe"C:\Users\Admin\AppData\Local\Temp\giizk.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\buucg.exe"C:\Users\Admin\AppData\Local\Temp\buucg.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD50bafbfab87bed5a68670dccfce80ec2a
SHA159941ca8fb894dab95292ae3068e393228101c5c
SHA2560a7200da2766b3ed8bb8b1a34a3750f8fead7b4ef4cc335a8c41ba8eee51de21
SHA512b605df17f2d30b7d807c6e0fbcbcc23d6681277e566aa776f6b47b118967ce7094de7e1684a96db35c7929d4d5028aae4697ef3fa1f9d46bac360a185dfa8a35
-
Filesize
512B
MD53215ce12594221a506a5209b0d971c05
SHA167f1da7ec9c06af022452c25a533124c7bba0b4e
SHA2567605c0823c1feb4b38dab4f4d1dba21eec1e442786073ea350f2484efe7ab8a6
SHA512934ec3928a8f8d7813cb21e02222ea64cb308bb368cb4c846b1c90ca1858c458e447bae26bcbd82462504bd48ff8a5aa6997093da32b00d13db5d22911e4b1a1
-
Filesize
156KB
MD579a6ccc3a35f59a274548f1f74574fa0
SHA12240823e40e70459040334c175a9f60e0e0ad723
SHA25633eeac74a3b10c2985f8c2ff1b5c02ba3a58683af21c9adb51498834ed129c81
SHA512c596e5d3c82ee51c2c5fe0a4bfca80922bf6bf39fce4c7bc379e82dc3aa806b49c41011bdc26df67f0f3a7430256f3a8e5b7a1810af93398964751a7d1f6cf19
-
Filesize
782KB
MD5bb382949326bc1aa31a42a3e5f390034
SHA1065835dd71998d95da5240efdd580ff26090f50b
SHA256bb9c25105f1436fd448a3c72e1944442843d718b913bb8fd29a8bd9006bc0641
SHA512a98bac58d5d15071bf815828641f774d49d7b5a190c52eb52cd6f0db40646f5603d9e8781a1bef1714f6c0072ee5e9c1055c7334c0ec8917b22f2c59b3ad5e17