Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 23:16
Behavioral task
behavioral1
Sample
3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe
-
Size
250KB
-
MD5
3f42f10528e56dd20c636b59c8756c9d
-
SHA1
4903d8c0317bd5c2926a6166ccc5887a233412a8
-
SHA256
2581d671c4462758584617222a05bde6f7811b75e722c4ed48da73e7138c7b23
-
SHA512
ed2c95f3ab036f4e03735cd1ccab7f56ca587fa81d3f2a8c7c76962286bd00da2ae1797225298f4e28622adc4fe5aadbb2db20d65125741a601067a93cc7ce86
-
SSDEEP
6144:36BsG/hwMrIrM+NW6o2SWnIq+ikCdGodAXbA7:KBsGbr4/xS2hdEbA7
Malware Config
Extracted
cybergate
2.5
Fucked
clochard42.no-ip.biz:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WindowsUpdate
-
install_file
Svch0st.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YO755Y3B-E486-Q6LI-6X1E-37JWLHKW761F}\StubPath = "C:\\Program Files (x86)\\WindowsUpdate\\Svch0st.exe Restart" 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YO755Y3B-E486-Q6LI-6X1E-37JWLHKW761F} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{YO755Y3B-E486-Q6LI-6X1E-37JWLHKW761F}\StubPath = "C:\\Program Files (x86)\\WindowsUpdate\\Svch0st.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{YO755Y3B-E486-Q6LI-6X1E-37JWLHKW761F} 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3076-3-0x0000000024010000-0x0000000024052000-memory.dmp upx behavioral2/memory/3076-54-0x0000000024060000-0x00000000240A2000-memory.dmp upx behavioral2/memory/3540-58-0x0000000024060000-0x00000000240A2000-memory.dmp upx behavioral2/memory/3540-59-0x0000000024060000-0x00000000240A2000-memory.dmp upx behavioral2/memory/3076-63-0x00000000240B0000-0x00000000240F2000-memory.dmp upx behavioral2/memory/3076-66-0x0000000024100000-0x0000000024142000-memory.dmp upx behavioral2/memory/408-119-0x0000000024100000-0x0000000024142000-memory.dmp upx behavioral2/memory/3540-156-0x0000000024060000-0x00000000240A2000-memory.dmp upx behavioral2/memory/408-166-0x0000000024100000-0x0000000024142000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Program Files (x86)\\WindowsUpdate\\Svch0st.exe" 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Program Files (x86)\\WindowsUpdate\\Svch0st.exe" 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\WindowsUpdate\Svch0st.exe 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\WindowsUpdate\ 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe File created C:\Program Files (x86)\WindowsUpdate\Svch0st.exe 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\WindowsUpdate\Svch0st.exe 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 408 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 408 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe Token: SeDebugPrivilege 408 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56 PID 3076 wrote to memory of 3404 3076 3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3540
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1992
-
-
C:\Users\Admin\AppData\Local\Temp\3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3f42f10528e56dd20c636b59c8756c9d_JaffaCakes118.exe"3⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
250KB
MD53f42f10528e56dd20c636b59c8756c9d
SHA14903d8c0317bd5c2926a6166ccc5887a233412a8
SHA2562581d671c4462758584617222a05bde6f7811b75e722c4ed48da73e7138c7b23
SHA512ed2c95f3ab036f4e03735cd1ccab7f56ca587fa81d3f2a8c7c76962286bd00da2ae1797225298f4e28622adc4fe5aadbb2db20d65125741a601067a93cc7ce86
-
Filesize
8B
MD5e330a4515ac69ba8640c3c852bfec8d5
SHA110ec83e2f7a58df300d3a72742e6bfb700af0d0a
SHA2568e6502c71187cfaacc5c7dd8c0aa86f5dc038ee1f445943333062a6ec1441c3f
SHA512d43c2e58b9368d52011d80fe11e4cf5991c03155030742ec19f206e78447bcffabb55e7bf0447588cb81c8078d7429c1f4612611459274fee2a8133cef2dccfc
-
Filesize
189KB
MD50e234261b2b24dab1385c01422358815
SHA1f77a3ad2e62c12b1c8eb5be1018624f73d4e08bd
SHA256e960a4be6930d952e1f9ce2214d95e3c43f3f590e07f67dad8db14cc6ae9fc88
SHA512cfb2307787400110d09711f63d7066fa5a8ab7a7d339f39ad84eec83feca749385ed589be4df60e3b9bcc2129131964ec7705af8d271f5684cf3fc5d127363e5
-
Filesize
15B
MD54362e21af8686f5ebba224768d292a5b
SHA1504510a4d10e230dcd1605ab3342525b38a10933
SHA256b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3
SHA512f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850