Analysis
-
max time kernel
84s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 21:09
Static task
static1
Behavioral task
behavioral1
Sample
36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe
-
Size
187KB
-
MD5
36644e0e2f9978ca12f1ac5e713d2889
-
SHA1
29d2b9d97ce41bb68df1121cd54a2170fc2c782a
-
SHA256
0a9be1d4052365bb249cd68e98dae1207885ea1db731248adc26ee551cbaa488
-
SHA512
2f00d8c046cf607b581624c944362c09e55f1fe4b4ca1683cdc6da6febb1617434c6a2c373009a43b91a4d6174d10462817f3d8630e72e12f20aea5dee6415cf
-
SSDEEP
3072:JXKgEUQ000kvZk3mT+Q3snJ/wDTPfPMoph9cI1kKy0Otgvjo4Tk0lU2GXxE9g337:5KgY0M4mTn3sJw33hF1Po4HlMxE9gHQ4
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3008 cmd.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Unexpected DNS network traffic destination 8 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 66.85.130.234 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exedescription pid process target process PID 1652 set thread context of 3008 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe cmd.exe -
Drops file in Windows directory 2 IoCs
Processes:
36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exedescription ioc process File created C:\Windows\Installer\{c5b0555c-f9e5-c299-24bf-1a4ff565c69a}\@ 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe File created C:\Windows\Installer\{c5b0555c-f9e5-c299-24bf-1a4ff565c69a}\n 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe -
Modifies registry class 5 IoCs
Processes:
36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\clsid 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both" 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{c5b0555c-f9e5-c299-24bf-1a4ff565c69a}\\n." 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exepid process 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exeservices.exedescription pid process Token: SeDebugPrivilege 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe Token: SeDebugPrivilege 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe Token: SeDebugPrivilege 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe Token: SeBackupPrivilege 476 services.exe Token: SeRestorePrivilege 476 services.exe Token: SeSecurityPrivilege 476 services.exe Token: SeTakeOwnershipPrivilege 476 services.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exedescription pid process target process PID 1652 wrote to memory of 1200 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe Explorer.EXE PID 1652 wrote to memory of 1200 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe Explorer.EXE PID 1652 wrote to memory of 476 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe services.exe PID 1652 wrote to memory of 3008 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe cmd.exe PID 1652 wrote to memory of 3008 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe cmd.exe PID 1652 wrote to memory of 3008 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe cmd.exe PID 1652 wrote to memory of 3008 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe cmd.exe PID 1652 wrote to memory of 3008 1652 36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe cmd.exe
Processes
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:476
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\36644e0e2f9978ca12f1ac5e713d2889_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
PID:3008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD517e7b6d68a827c577c81df0190842d1c
SHA12799b5dc157c755b5eeb6c8e4672558e4cfa6fc9
SHA256eb30bb38983eb36d5b007cbd0d764e43e28e2081ab7ee925e94869a26668395e
SHA51216243426c848d4e004416b0ea78df0f23c466b92886a06275000000bfdcd085f4d7295f1db2b1830e573743fe82c82951fe6b55e71b55cb3b8d89b5b448e464d