Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 17:53
Static task
static1
Behavioral task
behavioral1
Sample
35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe
-
Size
464KB
-
MD5
35c5da8537ca04c1efec5d828bd85296
-
SHA1
108e52f570ccafcd7846b6bee700180f38af0b28
-
SHA256
facd07e963be2c76765db828dd1e3472c4b35b2e06970c7fa45de159dbc42133
-
SHA512
59bc38a24198386e28eb939b9f8d6d54b2e427b315523ec5da9b179322396e7e03df98e6e6b3b6256f2007eb7b44d633b3dad04e863e2908e10a11123279e7ed
-
SSDEEP
12288:m+kdOPWLXkTK1nWoYEcNLEHX4LFkhSVkuVGX:mLgDKB/lvXs2X
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Oacgop = "C:\\Windows\\SysWOW64\\NOISEB.exe" 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts NOISEB.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2952 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2876 NOISEB.exe -
Loads dropped DLL 2 IoCs
pid Process 1856 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe 1856 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\NOISEB.exe 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\NOISEB.exe 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2764 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1856 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe 1856 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1856 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2876 NOISEB.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1856 wrote to memory of 2876 1856 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe 32 PID 1856 wrote to memory of 2876 1856 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe 32 PID 1856 wrote to memory of 2876 1856 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe 32 PID 1856 wrote to memory of 2876 1856 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe 32 PID 2876 wrote to memory of 2764 2876 NOISEB.exe 34 PID 2876 wrote to memory of 2764 2876 NOISEB.exe 34 PID 2876 wrote to memory of 2764 2876 NOISEB.exe 34 PID 2876 wrote to memory of 2764 2876 NOISEB.exe 34 PID 1856 wrote to memory of 2952 1856 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe 36 PID 1856 wrote to memory of 2952 1856 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe 36 PID 1856 wrote to memory of 2952 1856 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe 36 PID 1856 wrote to memory of 2952 1856 35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\NOISEB.exeC:\Windows\SysWOW64\NOISEB.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /flushdns3⤵
- Gathers network information
PID:2764
-
-
-
C:\Windows\SysWOW64\cmd.exe/c C:\Users\Admin\AppData\Local\Temp\~unins6916.bat "C:\Users\Admin\AppData\Local\Temp\35c5da8537ca04c1efec5d828bd85296_JaffaCakes118.exe"2⤵
- Deletes itself
PID:2952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49B
MD59e0a2f5ab30517809b95a1ff1dd98c53
SHA15c1eefdf10e67d1e9216e2e3f5e92352d583c9ce
SHA25697ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32
SHA512e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42
-
Filesize
233KB
MD58bc5e28397f9be95937739f3c3ceb808
SHA1b04a02c32e1a49b5d22cc7c34d9312ca2a07cd2f
SHA2563d0e9f59535a0667792df0470a6348e52cb889359ab1e4cfff5cd1257dfc847d
SHA512ece81bf491fd8b04f1025c93236c9c03d5e106dde3157796f6e6124054affdfdbd0bf904773a48859335fb7bbfc62516450ea6052720eb3bc557cfb460f36b6b