Analysis
-
max time kernel
130s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 16:20
Static task
static1
Behavioral task
behavioral1
Sample
357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe
-
Size
147KB
-
MD5
357a71bc43621cd13d8019d8eab8321e
-
SHA1
7ba961decbab63775e375fe476d2678caebee4fd
-
SHA256
c05aaf0cb3982fac7c2fc589bc9504e1ad660294a5bf2a9e3b9b2717416c8602
-
SHA512
6943b1aca8fd0c93a787ec8b3e781984436f1463cc3e7dde81667666569cb66b9b896b255553eee36c7bc82fabeb900fbb89fcbd1c7950d64accc5ffc2cc1846
-
SSDEEP
3072:tOCn1rixFxB2MtsHQvjcPs1+nKYkdoqrhyK4gPVQDr9IF2q27iR1+aJe1mgawzx+:tOCn1rifm+sujcPsInKTtPVQGF2q2OR5
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts tsrv.exe -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 4720 tsrv.exe -
Loads dropped DLL 1 IoCs
pid Process 4720 tsrv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tsrv = "C:\\Windows\\tsrv.exe s" tsrv.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\msji449c14b7.dll tsrv.exe File created C:\Windows\SysWOW64\cmut449c14b7.dll tsrv.exe File created C:\Windows\SysWOW64\hpzl449c14b7.exe tsrv.exe File opened for modification C:\Windows\SysWOW64\B98C.tmp tsrv.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\tsrv.exe 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe File opened for modification C:\Windows\tsrv.exe 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe File created C:\Windows\tsrv.dll tsrv.exe File opened for modification C:\Windows\tsrv.wax tsrv.exe File created C:\Windows\tsrv.s tsrv.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2620 notepad.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4720 tsrv.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 672 wrote to memory of 4720 672 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe 86 PID 672 wrote to memory of 4720 672 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe 86 PID 672 wrote to memory of 4720 672 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe 86 PID 672 wrote to memory of 2620 672 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe 87 PID 672 wrote to memory of 2620 672 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe 87 PID 672 wrote to memory of 2620 672 357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\tsrv.exeC:\Windows\tsrv.exe s2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4720
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\System32\notepad.exe C:\Users\Admin\AppData\Local\Temp\920E.tmp2⤵
- Opens file in notepad (likely ransom note)
PID:2620
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1AppInit DLLs
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD5a94e8bf6886703fc51f222d3a0f554dc
SHA12fc428aee9bf8b19e7c6bc3be30b243b16ec95ac
SHA2560e8a026c3220e8762ef698646ed636c464d1dda4fdf67aed74e27b305871dfc5
SHA512b056b9a6653c720b0da7b73f674fdf491ea771f2e135755a96424846b10911e99b18ce976c43ed060569cdb02e8f0108b30b101d00a0f8c589cb0c1537953944
-
Filesize
6KB
MD5cf3d1a580e2895c12361419c6c3e8580
SHA1ea1338f55c190c66af4dea73d5ec3e8c5806187c
SHA25666364c1bdefa75929031d7d2a434b1ebb0f60a308e50c424844673c13cf31561
SHA5127fbad15c85b57e0d256cbe51e83e9f01bba764a7a4cd4c28ff0e5e64b5abe59ada448694421c87e801b411d5dd34a23115f93871af5d688742ea9a5ee6f08b51
-
Filesize
5KB
MD5392090050d9cf1f100365c5939bde059
SHA1948d42e4251c34876b50ed27c9d0c20aa2b5864a
SHA2560d3ca0588fa5d9bd60d6a79287fb53ffb72873fd72214ef2417cb8b26598d9e7
SHA5125ee49d08db229dad3fc23a7c53e71fc881d67ee7168cc6fd9e52ad0c899138a7a33b15cc427a8f0d3e826e7f1634939a6ece19fee4d8bcb905b5521effdaaf12
-
Filesize
147KB
MD5357a71bc43621cd13d8019d8eab8321e
SHA17ba961decbab63775e375fe476d2678caebee4fd
SHA256c05aaf0cb3982fac7c2fc589bc9504e1ad660294a5bf2a9e3b9b2717416c8602
SHA5126943b1aca8fd0c93a787ec8b3e781984436f1463cc3e7dde81667666569cb66b9b896b255553eee36c7bc82fabeb900fbb89fcbd1c7950d64accc5ffc2cc1846
-
Filesize
4KB
MD53e993a41ae687a17bff174e515f13df2
SHA149a8d2d615b47f61dd7d24d4a8249a4fb26f101a
SHA256c68684e9b767de37cadca70aff84431d656588064874b97aac61503b8f271ca8
SHA512a665a4692c319220ad3dec4068ac3b1b070fa39e32b374ae594afa0bbe1a014670394bf18859a731f7b2dc8867dd520608497c7ff389ad548d38cc7678e9a3d2
-
Filesize
4KB
MD58fca3869920d1f39a5bc5ad895aaecf7
SHA15035c8de92d1e585fa23b8c217f75353d67d40dd
SHA256606421e1c2a5585de6d17d0f195da37feb9dbc5e50548de87406ca7516d2ad62
SHA512b2817e3d4abb1030a8a2beeda7b91a8b6d880e59fafb2b0bff1471c21904288c52a95c54e2bda61e20464cc58f542d541aa7f1605329480f4751693e95f6c8ad
-
Filesize
680B
MD515e64d0ad7d79bb7101929b1721b5685
SHA1a61974413b6ed6947be982b6a94aff0749e30422
SHA25646f28afb06ef8f693406228e9c2aec680df81daf84d982b578e5b7ad7fef7fda
SHA51256269a50455f56b5e56a77e4f756290f6a085c782ddef84279699ad706c796aa3b6645926ca48964cf86044ac7e995dac9c39b33fe49029143501aef762b87f0
-
Filesize
1KB
MD5644a8aea241d790bd6f814f399f90633
SHA1a6ca891c0fcb3594ff8aaf463fbe7f463cf294d1
SHA256e2cebc7908011052e01d6060b90ff9a44eb3b5d2e055dbccbb49d393eb9dbea5
SHA51299111a1c52ca895298e7000fea86122c405ad13c2bd435dd428a666d287a04ea8d14dcfaf348e5523a86ee90bf325c4c299e780694d51176e6396bb1c87ab5af
-
Filesize
1KB
MD5db22c67f40d581dfa5de962ce72bff41
SHA165f41151bca8ceb1f11e92963118e9cbc9486c74
SHA2562c81a4c846b050a27b91fbd2c299a2301bf7f76b82954adcb292910f1ef51bd0
SHA512c8e7ac853869cf5a665c7c1da3214503933d8571cdcb9601288be9d5e039e525d8b16a26ee199d8ce4ee361f46c05579fb4baf07f97db995c863edc25d3ce0be
-
Filesize
2KB
MD505bdcf433695ae363319e2c7d7591258
SHA1f67e7d492a1754006d8a28ee8cde75ff6e5c3d67
SHA25676b493610026c5f0bd2c85008df35bcaf91a29d84cd2560af75413fe617d0e20
SHA512babf779c519e9e5317c7e111f1a51ffd862bbce97af2d3c94efda89be4dd13b30abae2a3164cc6bf043cc40970caef40fa986ef7dc67c50e040c9dc2a14a8d17