Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
09-07-2024 00:01
Static task
static1
Behavioral task
behavioral1
Sample
2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe
Resource
win10v2004-20240708-en
windows10-2004-x64
General
-
Target
2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe
-
Size
18KB
-
MD5
2e4c6bb4b7998bb3c2e5d96a3bd5fa52
-
SHA1
25d5bf03b2d9cf7896ea17b7b636215dbde1dd0c
-
SHA256
1986728365e1868ce4884e7e553586a76791b51fb94b95c4585124db937f33d9
-
SHA512
afd3b03465fce17a2d755ab5024f7682a5012c461ab8458c23396b490bb4c1c677db5976b720880e29073d005d039c94523b704862a090042fec0845c588860b
-
SSDEEP
384:k53UcujpI7nqsKz7F8wz4ZUVgjmfr3KyWGv9o2VseIt0R9W/fm:keXGKzSd7mfr6c9jVXI6R9+fm
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run ISHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\ISHOST.EXE = "ISHOST.EXE" ISHOST.EXE -
Deletes itself 1 IoCs
pid Process 2792 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2708 ISHOST.EXE 2980 ismini.exe -
Loads dropped DLL 4 IoCs
pid Process 2220 2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe 2220 2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe 2708 ISHOST.EXE 2708 ISHOST.EXE -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\ismini.exe ISHOST.EXE File created C:\Windows\SysWOW64\components\flx0.dll ISHOST.EXE File created C:\Windows\SysWOW64\ISHOST.EXE 2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ISHOST.EXE 2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2220 2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE 2980 ismini.exe 2708 ISHOST.EXE 2708 ISHOST.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2220 2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2708 2220 2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe 30 PID 2220 wrote to memory of 2708 2220 2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe 30 PID 2220 wrote to memory of 2708 2220 2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe 30 PID 2220 wrote to memory of 2708 2220 2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe 30 PID 2708 wrote to memory of 2980 2708 ISHOST.EXE 31 PID 2708 wrote to memory of 2980 2708 ISHOST.EXE 31 PID 2708 wrote to memory of 2980 2708 ISHOST.EXE 31 PID 2708 wrote to memory of 2980 2708 ISHOST.EXE 31 PID 2220 wrote to memory of 2792 2220 2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe 32 PID 2220 wrote to memory of 2792 2220 2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe 32 PID 2220 wrote to memory of 2792 2220 2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe 32 PID 2220 wrote to memory of 2792 2220 2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2e4c6bb4b7998bb3c2e5d96a3bd5fa52_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\ISHOST.EXEC:\Windows\system32\ISHOST.EXE2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\ismini.exeC:\Windows\system32\ismini.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2980
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2E4C6B~1.EXE > nul2⤵
- Deletes itself
PID:2792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD540e8e672ce978235a4ec609515c670c6
SHA17e5f1095ef01366a37ae1c57ad2003a0b83c940d
SHA2569178de1df439696f1a63e8cc7f72df355f2397595792199bd2ee6ac2663add67
SHA512f2fb65e17a2e5301a2e1414cfb88d945aa78eae9478e207098bb4a2baf20d847ff4915ad3342e142d29705e4a89306381630a0e0520a8529b087660a410018d4
-
Filesize
43KB
MD5e2b82a32648e8942e51e5f05089e08e5
SHA1356ab9a5531c04b14bb9749d1cd8a8368f230df1
SHA256fe6228f3482932996cdd692f3aef4c82dbe2b7bdf8a29f842b1df42c66e3d529
SHA512b7ab6d64988e53554ce98d80b6ca3f985a849bb0a77264329ce762e34e6b5527276a801cfea5d94d238c10d7a926ca15c3a07b0542324a2a809cdd981f56e3da