Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 21:06
Behavioral task
behavioral1
Sample
3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe
-
Size
19KB
-
MD5
3661c0a8878c7895ea52e64f3f9fa685
-
SHA1
4c88841d5a619aaa92491bdb73c5b85c20314f82
-
SHA256
a144607ef15f4f982c648c8995a3bd0bbade5e13461ec9e27c9d994dccec6534
-
SHA512
9e129f9fe63e038b790d48410b1f96d75232453997c83d9d823dd1b6526ced1cc3ba75bf5630ead3bae330772c46c1dd46757b6586f90ba6a49a1081651725c9
-
SSDEEP
384:erTWjZkBVsc7FDtWNColOQE97NNjfLidb9SwdDFRCdmofuicL:e/bB3NtWNColOQE9RNjfL6h6Nfi
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exepid process 4656 3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/4656-0-0x0000000000400000-0x0000000000412000-memory.dmp upx behavioral2/memory/4656-12-0x0000000000400000-0x0000000000412000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bqvvitxl = "C:\\Windows\\qvtluybe.exe" 3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
Processes:
3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\lvvtwmky.dll 3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\qvtluybe.exe 3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe File created C:\Windows\qvtluybe.exe 3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exepid process 4656 3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe 4656 3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe 4656 3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe 4656 3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exepid process 4656 3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exedescription pid process target process PID 4656 wrote to memory of 3440 4656 3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe Explorer.EXE PID 4656 wrote to memory of 3440 4656 3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3661c0a8878c7895ea52e64f3f9fa685_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5014ce4f5ab08e6dafcc61fa64de6bdb5
SHA1011584beaf6155ca285ab992bb21c9da3b9defc6
SHA25657d25af09feb5644125f0be661c39a74b2252d638f7b5bde053a7c2573e76ce7
SHA5126a23c48a9d7038107fcec55a14d895e0650ab3d0edbfc37255cc1e6c88cb907d51a21e93ab14ed52135ec6645de2846c93c24d34a6af7441a98421a5c7507ef2