Analysis
-
max time kernel
93s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 12:29
Static task
static1
Behavioral task
behavioral1
Sample
1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
1b4e5eb487d966f8b446cf7effd2ac69
-
SHA1
7e0a1b084423db665b244b8c7eade88fd99b804f
-
SHA256
17eb7aca0b4fe76f2d5e3ea4916cf5658da5c7092f09b703c5d75da22446377c
-
SHA512
8b3df6bdc362744d3d070553f49990e475eb387c0614f58426a033149203f83a4a176f2a7358034e6c1fe75ad8f7f0472bc4ffeea69f8b7d93daa8150d8638b4
-
SSDEEP
24576:Wv9ZORd/2LGq3dt5Fior66tiJBcy22EMAs/3AMwNC1r3jU6zl:Wv7ORd/sGsCzN/3AM2CdQ6zl
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000400000001e6de-7.dat acprotect -
Loads dropped DLL 3 IoCs
pid Process 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000400000001e6de-7.dat upx behavioral2/memory/232-12-0x00000000023F0000-0x0000000002436000-memory.dmp upx behavioral2/memory/232-13-0x00000000023F0000-0x0000000002436000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 43 IoCs
pid Process 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 232 wrote to memory of 4468 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 91 PID 232 wrote to memory of 4468 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 91 PID 232 wrote to memory of 4468 232 1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe 91 PID 4468 wrote to memory of 988 4468 cmd.exe 93 PID 4468 wrote to memory of 988 4468 cmd.exe 93 PID 4468 wrote to memory of 988 4468 cmd.exe 93 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 988 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.68911\43495.BAT2⤵
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\attrib.exeattrib -a -s -r -h /s /d "C:\Users\Admin\AppData\Local\Temp\1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.68911\*.*"3⤵
- Views/modifies file attributes
PID:988
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
363B
MD51b5d074780f0e18dcfbf4c9215caee53
SHA1ad34f869bab2619f3835a96ab210b8f052ee3df9
SHA256484487c53324bb2c43181d4d72375a1e100cf8f9e773c4c984bd33c18e83ca3b
SHA5128e06a35e13ef9b3f643defb5c769ae3dbd30383230d5b82680db9288ea63975aad3bddb18062f93f3a4d3929995326a859792707b8645be005bc1d4dd1251a1d
-
Filesize
365KB
MD593f850d70e7a3dfaab82cab22dd230bd
SHA1818ae103e5f5f1654001b289e0aadaaac363121e
SHA256b8f05f1e3d8f2387abddddc06219036df02381ad5716ec41ccf0b05aaab94d37
SHA512e93ae2987fc277cb44f7d949339330df2f7ee6f43346bd573150baaf82e676f75f97d2ed3f296545b1fb8650b128ae837b473ebff1924784b3fd938ef421a4b8
-
Filesize
74KB
MD537adc90bb984551751410d9e4012721b
SHA1c1834985a3c52faf383d35e483644b116cadf706
SHA2567ef60380175aaf88552343f8068f58e7d7fa3e4285ca3ef10ccdbc4e60b7978b
SHA512618de79dc8fb1789a5e80d79a868b9c8d8f4212beff8a7c84cfbe433bc36b59f1a7baf9f8e7f8398b2d69fe461047557cc0b078a75fcdab172569e9846cc7be6