Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-07-2024 10:15
Static task
static1
Behavioral task
behavioral1
Sample
2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/sixepu.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/sixepu.dll
Resource
win10v2004-20240704-en
General
-
Target
2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
-
Size
572KB
-
MD5
2ff733dbb9b655a057ed7dfc2ea13daf
-
SHA1
c1d27a666129297faffab19528a1a2864e8d52c3
-
SHA256
071820da24f6b704ce6356e79ded9baad1acaa5e400fb8727c33bae6aa6f7a2f
-
SHA512
c251ae16ffcac19858957029589accfdfc1df28ed3a3c9f2db25ddc22ae8bf9690b8a22304529ec2965ef465fea3398cd06b382e85ea8fb3a7d9d9aba8933cff
-
SSDEEP
12288:ys8yx7i2iadN8gZE4DO5ABBCkwJbt4N8AS4EWtEjOBiZaB9BeuON/HcDfRjALs:PhG2iYeWAQaToEsOGiZawuON/HUf56s
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2176-8-0x0000000000400000-0x000000000048B000-memory.dmp family_snakekeylogger behavioral1/memory/2176-10-0x0000000000400000-0x000000000048B000-memory.dmp family_snakekeylogger behavioral1/memory/2176-11-0x0000000000400000-0x000000000048B000-memory.dmp family_snakekeylogger -
Loads dropped DLL 1 IoCs
Processes:
2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exepid process 2424 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 6 freegeoip.app 7 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exedescription pid process target process PID 2424 set thread context of 2176 2424 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exepid process 2176 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2176 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exedescription pid process target process PID 2424 wrote to memory of 2176 2424 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe PID 2424 wrote to memory of 2176 2424 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe PID 2424 wrote to memory of 2176 2424 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe PID 2424 wrote to memory of 2176 2424 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe PID 2424 wrote to memory of 2176 2424 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe PID 2424 wrote to memory of 2176 2424 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe PID 2424 wrote to memory of 2176 2424 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe PID 2424 wrote to memory of 2176 2424 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe PID 2424 wrote to memory of 2176 2424 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe PID 2424 wrote to memory of 2176 2424 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe PID 2424 wrote to memory of 2176 2424 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe PID 2176 wrote to memory of 2240 2176 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe dw20.exe PID 2176 wrote to memory of 2240 2176 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe dw20.exe PID 2176 wrote to memory of 2240 2176 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe dw20.exe PID 2176 wrote to memory of 2240 2176 2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5483⤵PID:2240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5040853f7eb99fcc82ea269734850785e
SHA18f18a3e2d9349d60de78194fcb62b7775cd297d6
SHA2560f68d5467617881e66690c950d2d2f409129662d2f78d6b648a2e2bf89bf33c0
SHA512cf5cd1fc536cec5d2c9735ad8129dd7990ef998403dd171bb5daf4b6d468beeb1d4a264124c701e57a89103231273b577e2a3858cd056182739e384395c56b6b