Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
03-07-2024 04:02
Static task
static1
Behavioral task
behavioral1
Sample
210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe
-
Size
384KB
-
MD5
210366d4a3a26e2054f68303d496a7d7
-
SHA1
ec1cd9889d6552ed7805f12dc9ca01e0a1aec6e8
-
SHA256
3eb3b72914c651d93adfb6e82e2cd9efbec77117d18446b486b6e87db9630db6
-
SHA512
e5d0751f9b453d4a19c74b494c67d48003528ba1356efb000c6e405526baf37dab7cc023749841b8b8f021199c249951d3732484e0ffab7410efb36fc995a8d4
-
SSDEEP
6144:pZ2XN0gD4kkgSpKZlC1CjB71Ma5OqqBNDiAtblmrvVTYrCu71ivm776s4HU3oNLI:zMl0BgS0Zo8lyQIBN2At5mrdT071iG7o
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 3036 rlk.exe -
Executes dropped EXE 1 IoCs
pid Process 3036 rlk.exe -
Loads dropped DLL 2 IoCs
pid Process 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 17 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\ = "Application" rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\DefaultIcon rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\rlk.exe\" -a \"%1\" %*" rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\DefaultIcon\ = "%1" rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\Content Type = "application/x-msdownload" rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start rlk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe" 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\1473883745 = "C:\\Users\\Admin\\AppData\\Local\\rlk.exe" 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe -
Modifies registry class 41 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\Content Type = "application/x-msdownload" rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\open\command rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\DefaultIcon rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\ = "exefile" rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\runas rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\DefaultIcon\ = "%1" rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\rlk.exe\" -a \"%1\" %*" rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\start rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\open rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\Content Type = "application/x-msdownload" rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\rlk.exe\" -a \"%1\" %*" rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\runas\command rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\runas\command rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\ = "Application" rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\DefaultIcon\ = "%1" rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell rlk.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" rlk.exe Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\DefaultIcon rlk.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.exe\shell\start\command rlk.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 3036 rlk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2640 explorer.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeShutdownPrivilege 2640 explorer.exe Token: SeShutdownPrivilege 2640 explorer.exe Token: SeShutdownPrivilege 2640 explorer.exe Token: SeShutdownPrivilege 2640 explorer.exe Token: SeShutdownPrivilege 2640 explorer.exe Token: SeShutdownPrivilege 2640 explorer.exe Token: SeShutdownPrivilege 2640 explorer.exe Token: SeShutdownPrivilege 2640 explorer.exe Token: SeShutdownPrivilege 2640 explorer.exe Token: SeShutdownPrivilege 2640 explorer.exe Token: SeShutdownPrivilege 2640 explorer.exe Token: SeShutdownPrivilege 2640 explorer.exe Token: SeShutdownPrivilege 2640 explorer.exe Token: SeShutdownPrivilege 2640 explorer.exe Token: SeShutdownPrivilege 2640 explorer.exe Token: SeShutdownPrivilege 2640 explorer.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 3036 rlk.exe 3036 rlk.exe 3036 rlk.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 3036 rlk.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe -
Suspicious use of SendNotifyMessage 23 IoCs
pid Process 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 2640 explorer.exe 3036 rlk.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3036 rlk.exe 3036 rlk.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2536 wrote to memory of 3036 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 28 PID 2536 wrote to memory of 3036 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 28 PID 2536 wrote to memory of 3036 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 28 PID 2536 wrote to memory of 3036 2536 210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe 28 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\rlk.exe"C:\Users\Admin\AppData\Local\rlk.exe" -gav C:\Users\Admin\AppData\Local\Temp\210366d4a3a26e2054f68303d496a7d7_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3036
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2640
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD5210366d4a3a26e2054f68303d496a7d7
SHA1ec1cd9889d6552ed7805f12dc9ca01e0a1aec6e8
SHA2563eb3b72914c651d93adfb6e82e2cd9efbec77117d18446b486b6e87db9630db6
SHA512e5d0751f9b453d4a19c74b494c67d48003528ba1356efb000c6e405526baf37dab7cc023749841b8b8f021199c249951d3732484e0ffab7410efb36fc995a8d4