Analysis
-
max time kernel
84s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
08/07/2024, 07:19
Static task
static1
Behavioral task
behavioral1
Sample
2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
-
Size
157KB
-
MD5
2b7083e65c670f754f718600eb292cfb
-
SHA1
2c958a67f029d6dc730ad0e94290a5a635225300
-
SHA256
75f0f21737fed722cba5c80dacdb50614a3e5240efae04108af4e9cc7ae0c707
-
SHA512
f7ab0e909e7763d65d71153e289a2fd52a5b708f6756423bb9f74069d7f99841d99f98553fe3e4f327f5590d7c1a6c26815fb068b4e02857b110b4d5b815b250
-
SSDEEP
3072:Vp9pZqP95Oh1DDyjRvxwKU9LfnnOgW4jKIWO977dW18DjVjR:DZE5+13ylv+nDn8O9HdqqJj
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2712 cmd.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 2 IoCs
pid Process 1264 Explorer.EXE 476 services.exe -
Unexpected DNS network traffic destination 9 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 66.85.130.234 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2944 set thread context of 2712 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe 30 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Installer\{15366efd-cfd9-0c16-f3c4-ad88e049c25a}\@ 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe File created C:\Windows\Installer\{15366efd-cfd9-0c16-f3c4-ad88e049c25a}\n 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\ = "\\\\.\\globalroot\\systemroot\\Installer\\{15366efd-cfd9-0c16-f3c4-ad88e049c25a}\\n." 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\clsid 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both" 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{15366efd-cfd9-0c16-f3c4-ad88e049c25a}\\n." 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe Token: SeDebugPrivilege 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe Token: SeDebugPrivilege 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe Token: SeBackupPrivilege 476 services.exe Token: SeRestorePrivilege 476 services.exe Token: SeSecurityPrivilege 476 services.exe Token: SeTakeOwnershipPrivilege 476 services.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2944 wrote to memory of 1264 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe 21 PID 2944 wrote to memory of 1264 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe 21 PID 2944 wrote to memory of 476 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe 6 PID 2944 wrote to memory of 2712 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe 30 PID 2944 wrote to memory of 2712 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe 30 PID 2944 wrote to memory of 2712 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe 30 PID 2944 wrote to memory of 2712 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe 30 PID 2944 wrote to memory of 2712 2944 2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe 30
Processes
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:476
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
PID:2712
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD5fab7de9eafea67f88e43003698024c86
SHA124a4ef27c29cdeabed5e0af867e3f568da40d0c9
SHA256073b1f99871dc56a33dcd55af71d53482816bfc9b3ce5c78ee53bed31b428384
SHA512b4a57a8cc564760526d4cce26ce24e80657c064df373c307bb90cf053d01d04bdfe1def41fedfeb7715e53d8481a98c94bc6f3bf33815b4571d898aa08553fcd
-
Filesize
2KB
MD538c9d726d8fec900eb13e0b96aa4a7df
SHA1bfb1ea50a783e13e619228012f4472ae129f8bf5
SHA2566302e3d8798b296fe058c71cc12b6216d6b3f00015e2e2b36176989aeb1599e1
SHA51268864d4e9a3a6d61f871e44e2a50dbd6ea95c8a1cdfbddd79280d547173bdb9a05314a36004cdf2d057f4d7520e675257ef5c9e50d6ee6813500c4cd1932ac65