Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    01/07/2024, 20:21 UTC

General

  • Target

    1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe

  • Size

    165KB

  • MD5

    1c5eb0e8f00fd584e8d1d3006278fe76

  • SHA1

    03f5aa75940b9176a97ac41257f306c33cca93da

  • SHA256

    e026f6f1a5a4f5b39e68c8cdb050334174764d2c7fe041073c6e64872a3a4099

  • SHA512

    592c5856367f942c29f9f88c7ed20f65eb453475991ffafa11cd72b4c45ca3e58f47af0d4daf6cda2a3800de45789d55596bfcfe3588ee4f7f77417e52474590

  • SSDEEP

    3072:yo5Htro+64OBGLvtwT+rGkLB0oA50BFLqlNyoNCzN2D3zCCR9GPU1:351llOBGLvuT+rjLBxAblNyN2zz7RWM

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wininit.exe
    wininit.exe
    1⤵
      PID:372
      • C:\Windows\system32\services.exe
        C:\Windows\system32\services.exe
        2⤵
          PID:480
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch
            3⤵
              PID:604
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                4⤵
                  PID:2424
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k RPCSS
                3⤵
                  PID:680
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                  3⤵
                    PID:760
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                    3⤵
                      PID:816
                      • C:\Windows\system32\Dwm.exe
                        "C:\Windows\system32\Dwm.exe"
                        4⤵
                          PID:1168
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        3⤵
                          PID:860
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          3⤵
                            PID:968
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k NetworkService
                            3⤵
                              PID:272
                            • C:\Windows\System32\spoolsv.exe
                              C:\Windows\System32\spoolsv.exe
                              3⤵
                                PID:1008
                              • C:\Windows\system32\taskhost.exe
                                "taskhost.exe"
                                3⤵
                                  PID:1084
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                  3⤵
                                    PID:1092
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                    3⤵
                                      PID:2304
                                    • C:\Windows\system32\sppsvc.exe
                                      C:\Windows\system32\sppsvc.exe
                                      3⤵
                                        PID:2252
                                    • C:\Windows\system32\lsass.exe
                                      C:\Windows\system32\lsass.exe
                                      2⤵
                                        PID:488
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:496
                                      • C:\Windows\system32\csrss.exe
                                        %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                        1⤵
                                          PID:396
                                          • C:\Windows\system32\conhost.exe
                                            \??\C:\Windows\system32\conhost.exe "-677212024-73098000-77438666348748318697769356464776911-1326470532-128575295"
                                            2⤵
                                              PID:1668
                                          • C:\Windows\system32\winlogon.exe
                                            winlogon.exe
                                            1⤵
                                              PID:432
                                            • C:\Windows\Explorer.EXE
                                              C:\Windows\Explorer.EXE
                                              1⤵
                                                PID:1192
                                                • C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118.exe"
                                                  2⤵
                                                  • Loads dropped DLL
                                                  • Drops file in Windows directory
                                                  • Modifies Internet Explorer settings
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious behavior: MapViewOfSection
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:852
                                                  • C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe
                                                    C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe
                                                    3⤵
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1844
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 92
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Loads dropped DLL
                                                      • Program crash
                                                      PID:1740

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Temp\1c5eb0e8f00fd584e8d1d3006278fe76_JaffaCakes118mgr.exe

                                                Filesize

                                                60KB

                                                MD5

                                                cd963c64ad0bea4ca85a4819f6eefed1

                                                SHA1

                                                d9cd6316cf3c6ce5ceec9694c2debc7b7981775f

                                                SHA256

                                                33c4b715dc8b183dff9aac65cc42c7f2c70658580b8e3d449878251482a5d906

                                                SHA512

                                                f7cd12c57eff3acf7c89b0e7b55dfa81623618a65d6c49b490c199cfe63ae9e858f2681c8ef1425d1e4b25f7b0bbd6d4a9d9788956c23f52fece3d5d79b5907e

                                              • C:\Windows\SysWOW64\WerFault.exe

                                                Filesize

                                                352KB

                                                MD5

                                                5feab868caedbbd1b7a145ca8261e4aa

                                                SHA1

                                                f43f28cc5165608e6fb3794e9a3d083ca2c75f0e

                                                SHA256

                                                08bace187a0225e10677de9aa6738a7118be3e5cad6dc45fb8d3366a61bb343c

                                                SHA512

                                                91108ab6dd422c1d500fc0a65df6faffdb7000828a0f908b1c053129b4b8702fdb7309fa3f4f6054ad542dfe24fd4853e2fe32f7e45aa369e7a3cb6137bdaca1

                                              • memory/852-0-0x0000000001000000-0x000000000102E000-memory.dmp

                                                Filesize

                                                184KB

                                              • memory/852-10-0x0000000077750000-0x0000000077751000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/852-9-0x000000007774F000-0x0000000077750000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/852-14-0x0000000001000000-0x000000000102E000-memory.dmp

                                                Filesize

                                                184KB

                                              • memory/1740-17-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/1844-16-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/1844-25-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

                                                Filesize

                                                48KB

                                              We care about your privacy.

                                              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.