25f5d8e42ffb704933ba97d5ff9963f11864cd7eca1cbb9f5fceb9ad5b546f18

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-07-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe
Size

21KB
MD5

28f90dccfccc7bb5b130608907c9b0fd
SHA1

8592494fedf9d359fbc5e8d146d880e905e3abcb
SHA256

25f5d8e42ffb704933ba97d5ff9963f11864cd7eca1cbb9f5fceb9ad5b546f18
SHA512

41af02409beaeca161ab41ae2098a3c43e315d5e12b438402dd55141859f7cb0de2d261f9e389865691decb60b1b1ba95810bf43a5573211bf367c6b007517c3
SSDEEP

384:msmVL3GyUStYEomsGU9THttmLDAOJ82nlm3R1iSIhaQYIg:mvVVUStYEomsGU9LtuD9820+VaLH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2416	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2644	toolba.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\toolba.exe	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\toolba.exe	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
2128	taskkill.exe
2888	taskkill.exe
2488	taskkill.exe
2476	taskkill.exe
2540	taskkill.exe
1280	taskkill.exe
2564	taskkill.exe
2608	taskkill.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe
1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe
2644	toolba.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	1280	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2696	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2696	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2696	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2696	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2996	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	29
PID 1936 wrote to memory of 2996	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	29
PID 1936 wrote to memory of 2996	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	29
PID 1936 wrote to memory of 2996	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	29
PID 1936 wrote to memory of 2504	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	30
PID 1936 wrote to memory of 2504	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	30
PID 1936 wrote to memory of 2504	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	30
PID 1936 wrote to memory of 2504	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	30
PID 1936 wrote to memory of 3060	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	31
PID 1936 wrote to memory of 3060	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	31
PID 1936 wrote to memory of 3060	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	31
PID 1936 wrote to memory of 3060	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2608	2996	cmd.exe	37
PID 2996 wrote to memory of 2608	2996	cmd.exe	37
PID 2996 wrote to memory of 2608	2996	cmd.exe	37
PID 2996 wrote to memory of 2608	2996	cmd.exe	37
PID 3060 wrote to memory of 2564	3060	cmd.exe	38
PID 3060 wrote to memory of 2564	3060	cmd.exe	38
PID 3060 wrote to memory of 2564	3060	cmd.exe	38
PID 3060 wrote to memory of 2564	3060	cmd.exe	38
PID 2696 wrote to memory of 2540	2696	cmd.exe	39
PID 2696 wrote to memory of 2540	2696	cmd.exe	39
PID 2696 wrote to memory of 2540	2696	cmd.exe	39
PID 2696 wrote to memory of 2540	2696	cmd.exe	39
PID 2504 wrote to memory of 1280	2504	cmd.exe	40
PID 2504 wrote to memory of 1280	2504	cmd.exe	40
PID 2504 wrote to memory of 1280	2504	cmd.exe	40
PID 2504 wrote to memory of 1280	2504	cmd.exe	40
PID 2644 wrote to memory of 2792	2644	toolba.exe	41
PID 2644 wrote to memory of 2792	2644	toolba.exe	41
PID 2644 wrote to memory of 2792	2644	toolba.exe	41
PID 2644 wrote to memory of 2792	2644	toolba.exe	41
PID 2644 wrote to memory of 2684	2644	toolba.exe	42
PID 2644 wrote to memory of 2684	2644	toolba.exe	42
PID 2644 wrote to memory of 2684	2644	toolba.exe	42
PID 2644 wrote to memory of 2684	2644	toolba.exe	42
PID 2644 wrote to memory of 2648	2644	toolba.exe	44
PID 2644 wrote to memory of 2648	2644	toolba.exe	44
PID 2644 wrote to memory of 2648	2644	toolba.exe	44
PID 2644 wrote to memory of 2648	2644	toolba.exe	44
PID 2644 wrote to memory of 2688	2644	toolba.exe	45
PID 2644 wrote to memory of 2688	2644	toolba.exe	45
PID 2644 wrote to memory of 2688	2644	toolba.exe	45
PID 2644 wrote to memory of 2688	2644	toolba.exe	45
PID 1936 wrote to memory of 2416	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	49
PID 1936 wrote to memory of 2416	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	49
PID 1936 wrote to memory of 2416	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	49
PID 1936 wrote to memory of 2416	1936	28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe	49
PID 2648 wrote to memory of 2476	2648	cmd.exe	50
PID 2648 wrote to memory of 2476	2648	cmd.exe	50
PID 2648 wrote to memory of 2476	2648	cmd.exe	50
PID 2648 wrote to memory of 2476	2648	cmd.exe	50
PID 2684 wrote to memory of 2488	2684	cmd.exe	51
PID 2684 wrote to memory of 2488	2684	cmd.exe	51
PID 2684 wrote to memory of 2488	2684	cmd.exe	51
PID 2684 wrote to memory of 2488	2684	cmd.exe	51
PID 2792 wrote to memory of 2128	2792	cmd.exe	52
PID 2792 wrote to memory of 2128	2792	cmd.exe	52
PID 2792 wrote to memory of 2128	2792	cmd.exe	52
PID 2792 wrote to memory of 2128	2792	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28f90dccfccc7bb5b130608907c9b0fd_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwmain.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwmain.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwsrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwstub.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwstub.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwproxy.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwproxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\28F90D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2416

C:\Windows\SysWOW64\toolba.exe
C:\Windows\SysWOW64\toolba.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwmain.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwmain.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwsrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwstub.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwstub.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwproxy.exe
  2⤵
  PID:2688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwproxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\toolba.exe

Filesize
21KB

MD5
28f90dccfccc7bb5b130608907c9b0fd

SHA1
8592494fedf9d359fbc5e8d146d880e905e3abcb

SHA256
25f5d8e42ffb704933ba97d5ff9963f11864cd7eca1cbb9f5fceb9ad5b546f18

SHA512
41af02409beaeca161ab41ae2098a3c43e315d5e12b438402dd55141859f7cb0de2d261f9e389865691decb60b1b1ba95810bf43a5573211bf367c6b007517c3

Download Submit