Analysis
-
max time kernel
142s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 15:05
Static task
static1
Behavioral task
behavioral1
Sample
353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe
-
Size
689KB
-
MD5
353aee66f961ef3158e0884c287c5645
-
SHA1
9df777862cc2aa631e7134f175ea028bb7bc8728
-
SHA256
20a85e2d05f4f78e7e366b9b6562e453ece5fb3c556e4a03ad6edf45a43130df
-
SHA512
3d8d251f35d02bf4f4b80ceadbdcf9e4def5e9290f5ee4a2e33750389b05f39b38c69ae3535406c731a0146d16ef3a7345e1a2853cd1a195d7d09fd3d567b13e
-
SSDEEP
12288:ePLP+oUvVHcz8cv7DfuNy686Eg8wG8OF3Z4mxx5DqVTVOCg:8SoaVk8cffuNyR6EgS8OQmXQVTzg
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2536 4.exe 3000 Hacker.com.cn.exe -
Loads dropped DLL 2 IoCs
pid Process 1992 353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe 1992 353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe 4.exe File opened for modification C:\Windows\Hacker.com.cn.exe 4.exe File created C:\Windows\uninstal.bat 4.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2536 4.exe Token: SeDebugPrivilege 3000 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3000 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2536 1992 353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe 30 PID 1992 wrote to memory of 2536 1992 353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe 30 PID 1992 wrote to memory of 2536 1992 353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe 30 PID 1992 wrote to memory of 2536 1992 353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe 30 PID 3000 wrote to memory of 2908 3000 Hacker.com.cn.exe 32 PID 3000 wrote to memory of 2908 3000 Hacker.com.cn.exe 32 PID 3000 wrote to memory of 2908 3000 Hacker.com.cn.exe 32 PID 3000 wrote to memory of 2908 3000 Hacker.com.cn.exe 32 PID 2536 wrote to memory of 2940 2536 4.exe 33 PID 2536 wrote to memory of 2940 2536 4.exe 33 PID 2536 wrote to memory of 2940 2536 4.exe 33 PID 2536 wrote to memory of 2940 2536 4.exe 33 PID 2536 wrote to memory of 2940 2536 4.exe 33 PID 2536 wrote to memory of 2940 2536 4.exe 33 PID 2536 wrote to memory of 2940 2536 4.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\353aee66f961ef3158e0884c287c5645_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat3⤵PID:2940
-
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
789KB
MD5ec0c29add6ca3345cc89f3c93ea54317
SHA1bcca4323a723e7b5717d42524425a38981f707ce
SHA256c94637967eabbd861d8ecfee6a31b84c305222c3e29587764da9e08fd0858a65
SHA512d9b620aac58d66da9f288ba3676142c6a55dca528ab44917508ed7c8c5b87806bdf41b52a259041ae6ae13647ac8f43159eee66db4eaae79839763de1731cd02
-
Filesize
150B
MD55edd682a8b1f2bf873300774f954ab03
SHA12cca4e743d02dbccf31b784ea26a60c03dcc9637
SHA256a34c51ec5d2ac66ef75719e7dee61b6e89e74d054712438da2585ec92ce0865a
SHA512916f0e846a38f63aae996e2a3957fa24fed3bcaa6add68c529e3cc0aa063dca49b98d42c92317bfc2f43d745c492e1e1e6f5db0c986b9682f4b9b0cf0afd7bd2