Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11-07-2024 14:05
Static task
static1
Behavioral task
behavioral1
Sample
39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe
-
Size
92KB
-
MD5
39701f5c18d18cd690f7ded4f1ea958e
-
SHA1
982abd7a3c93c48536917a958fc97252f5e225e1
-
SHA256
afcaaf746e58ff7c2976963accf7b032cb21a028a6857b5a7f542dbb335b2b2c
-
SHA512
cb804688ca6496a0f4a06f56a561134aaf1f9631b2e4e8de4ffa5a7ca183c7d8a221a8d3a3ea33efe7a6505bfab5dea115f9ac24b33333f4523bad68433314ff
-
SSDEEP
1536:sEUQjlDAMOcnNFCEcK3gGrvOAoY7ld0ckN3wTr3iAkHyy+dOrrrrrr:sVulMMlXE+g41jkNyTr
Malware Config
Signatures
-
Processes:
AppLaunch.exeAppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" AppLaunch.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 2500 explorer.exe -
Executes dropped EXE 3 IoCs
Processes:
explorer.exemvscavAP.exeSiaPort.exepid process 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe -
Loads dropped DLL 6 IoCs
Processes:
39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exeexplorer.exemvscavAP.exepid process 2092 39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe 2092 39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe 2500 explorer.exe 2500 explorer.exe 2788 mvscavAP.exe 2788 mvscavAP.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
mvscavAP.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\mvscavAP.exe" mvscavAP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wins = "C:\\WINDOWS\\ctfmon.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wins = "C:\\WINDOWS\\ctfmon.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
explorer.exeSiaPort.exedescription pid process target process PID 2500 set thread context of 2724 2500 explorer.exe AppLaunch.exe PID 2568 set thread context of 2544 2568 SiaPort.exe AppLaunch.exe -
Drops file in Windows directory 3 IoCs
Processes:
AppLaunch.exeAppLaunch.exedescription ioc process File opened for modification C:\WINDOWS\ctfmon.exe AppLaunch.exe File opened for modification C:\WINDOWS\ctfmon.exe AppLaunch.exe File created C:\WINDOWS\ctfmon.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exemvscavAP.exeSiaPort.exepid process 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe 2788 mvscavAP.exe 2568 SiaPort.exe 2500 explorer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exeexplorer.exemvscavAP.exeSiaPort.exedescription pid process Token: SeDebugPrivilege 2092 39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe Token: SeDebugPrivilege 2500 explorer.exe Token: SeDebugPrivilege 2788 mvscavAP.exe Token: SeDebugPrivilege 2568 SiaPort.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AppLaunch.exeAppLaunch.exepid process 2724 AppLaunch.exe 2544 AppLaunch.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exeexplorer.exemvscavAP.exeSiaPort.exeAppLaunch.exeAppLaunch.exedescription pid process target process PID 2092 wrote to memory of 2500 2092 39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe explorer.exe PID 2092 wrote to memory of 2500 2092 39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe explorer.exe PID 2092 wrote to memory of 2500 2092 39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe explorer.exe PID 2092 wrote to memory of 2500 2092 39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe explorer.exe PID 2500 wrote to memory of 2724 2500 explorer.exe AppLaunch.exe PID 2500 wrote to memory of 2724 2500 explorer.exe AppLaunch.exe PID 2500 wrote to memory of 2724 2500 explorer.exe AppLaunch.exe PID 2500 wrote to memory of 2724 2500 explorer.exe AppLaunch.exe PID 2500 wrote to memory of 2724 2500 explorer.exe AppLaunch.exe PID 2500 wrote to memory of 2724 2500 explorer.exe AppLaunch.exe PID 2500 wrote to memory of 2724 2500 explorer.exe AppLaunch.exe PID 2500 wrote to memory of 2724 2500 explorer.exe AppLaunch.exe PID 2500 wrote to memory of 2724 2500 explorer.exe AppLaunch.exe PID 2500 wrote to memory of 2724 2500 explorer.exe AppLaunch.exe PID 2500 wrote to memory of 2724 2500 explorer.exe AppLaunch.exe PID 2500 wrote to memory of 2724 2500 explorer.exe AppLaunch.exe PID 2500 wrote to memory of 2788 2500 explorer.exe mvscavAP.exe PID 2500 wrote to memory of 2788 2500 explorer.exe mvscavAP.exe PID 2500 wrote to memory of 2788 2500 explorer.exe mvscavAP.exe PID 2500 wrote to memory of 2788 2500 explorer.exe mvscavAP.exe PID 2788 wrote to memory of 2568 2788 mvscavAP.exe SiaPort.exe PID 2788 wrote to memory of 2568 2788 mvscavAP.exe SiaPort.exe PID 2788 wrote to memory of 2568 2788 mvscavAP.exe SiaPort.exe PID 2788 wrote to memory of 2568 2788 mvscavAP.exe SiaPort.exe PID 2568 wrote to memory of 2544 2568 SiaPort.exe AppLaunch.exe PID 2568 wrote to memory of 2544 2568 SiaPort.exe AppLaunch.exe PID 2568 wrote to memory of 2544 2568 SiaPort.exe AppLaunch.exe PID 2568 wrote to memory of 2544 2568 SiaPort.exe AppLaunch.exe PID 2568 wrote to memory of 2544 2568 SiaPort.exe AppLaunch.exe PID 2568 wrote to memory of 2544 2568 SiaPort.exe AppLaunch.exe PID 2568 wrote to memory of 2544 2568 SiaPort.exe AppLaunch.exe PID 2568 wrote to memory of 2544 2568 SiaPort.exe AppLaunch.exe PID 2568 wrote to memory of 2544 2568 SiaPort.exe AppLaunch.exe PID 2568 wrote to memory of 2544 2568 SiaPort.exe AppLaunch.exe PID 2568 wrote to memory of 2544 2568 SiaPort.exe AppLaunch.exe PID 2568 wrote to memory of 2544 2568 SiaPort.exe AppLaunch.exe PID 2724 wrote to memory of 1684 2724 AppLaunch.exe reg.exe PID 2724 wrote to memory of 1684 2724 AppLaunch.exe reg.exe PID 2724 wrote to memory of 1684 2724 AppLaunch.exe reg.exe PID 2724 wrote to memory of 1684 2724 AppLaunch.exe reg.exe PID 2724 wrote to memory of 1684 2724 AppLaunch.exe reg.exe PID 2724 wrote to memory of 1684 2724 AppLaunch.exe reg.exe PID 2724 wrote to memory of 1684 2724 AppLaunch.exe reg.exe PID 2544 wrote to memory of 1348 2544 AppLaunch.exe reg.exe PID 2544 wrote to memory of 1348 2544 AppLaunch.exe reg.exe PID 2544 wrote to memory of 1348 2544 AppLaunch.exe reg.exe PID 2544 wrote to memory of 1348 2544 AppLaunch.exe reg.exe PID 2544 wrote to memory of 1348 2544 AppLaunch.exe reg.exe PID 2544 wrote to memory of 1348 2544 AppLaunch.exe reg.exe PID 2544 wrote to memory of 1348 2544 AppLaunch.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\39701f5c18d18cd690f7ded4f1ea958e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- UAC bypass
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add hklm\software\microsoft\windows\currentversion\run /v wins /t reg_sz /d C:\WINDOWS\ctfmon.exe /f4⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
- UAC bypass
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add hklm\software\microsoft\windows\currentversion\run /v wins /t reg_sz /d C:\WINDOWS\ctfmon.exe /f6⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
84B
MD5f12133d461ae93607418ef1c0d1ff5eb
SHA1ff555c4a7875ac2375a5ed2fa8b29982b1b2dc61
SHA256ed2685597be7038bd55083c086f9da96b9aec167241405baad6929474a1de5d1
SHA512498f51923dddfe79c96e2b0fbdd8f6deafa47a4f169d669952a22634c4693e6e760ca5beb234a25c870948f9a5de3b60bb13f79f40715ddf971ad5ac26021fcb
-
C:\Users\Admin\AppData\Local\Temp\System\mvscavAP.exeFilesize
7KB
MD51e065c8186d7d23b9fad718e030ad963
SHA1ed1f41e4d34ed3321eb9dfbc6ac82b322de0c904
SHA25645c1f790d9b856ccc02aa6be9f1102734fd9df534f6cea3b905de0698caedfdb
SHA512feef86acf449371102d4bf7a3b6aa50ebafff01d4f23c9bf24f69e35faf92956f205d8c8ea082d615e62b680ed1038dfda6e4e099707be45c2b7bdf32bffbc23
-
C:\WINDOWS\ctfmon.exeFilesize
54KB
MD50f01571a3e4c71eb4313175aae86488e
SHA12ba648afe2cd52edf5f25e304f77d457abf7ac0e
SHA2568cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022
SHA512159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
92KB
MD539701f5c18d18cd690f7ded4f1ea958e
SHA1982abd7a3c93c48536917a958fc97252f5e225e1
SHA256afcaaf746e58ff7c2976963accf7b032cb21a028a6857b5a7f542dbb335b2b2c
SHA512cb804688ca6496a0f4a06f56a561134aaf1f9631b2e4e8de4ffa5a7ca183c7d8a221a8d3a3ea33efe7a6505bfab5dea115f9ac24b33333f4523bad68433314ff
-
memory/2092-1-0x0000000074580000-0x0000000074B2B000-memory.dmpFilesize
5.7MB
-
memory/2092-2-0x0000000074580000-0x0000000074B2B000-memory.dmpFilesize
5.7MB
-
memory/2092-14-0x0000000074580000-0x0000000074B2B000-memory.dmpFilesize
5.7MB
-
memory/2092-0-0x0000000074581000-0x0000000074582000-memory.dmpFilesize
4KB
-
memory/2500-15-0x0000000074580000-0x0000000074B2B000-memory.dmpFilesize
5.7MB
-
memory/2500-16-0x0000000074580000-0x0000000074B2B000-memory.dmpFilesize
5.7MB
-
memory/2500-67-0x0000000074580000-0x0000000074B2B000-memory.dmpFilesize
5.7MB
-
memory/2544-60-0x0000000000240000-0x0000000000291000-memory.dmpFilesize
324KB
-
memory/2724-24-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2724-35-0x0000000000800000-0x0000000000851000-memory.dmpFilesize
324KB
-
memory/2724-26-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2724-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2724-32-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2724-66-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2724-22-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB