Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12/07/2024, 00:28
Behavioral task
behavioral1
Sample
3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
-
Size
158KB
-
MD5
3b51fab717e281580abca9c62aaa9685
-
SHA1
74cd77630ace2fa629405f0665f34f1bb86419c1
-
SHA256
3a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e
-
SHA512
41502d14ccb5c65aa72aaea0f91b4f7defe4f1293fed54d1ce9193d77884cb068943560c07f0118fbe0b92de09fab6cf0b2d1e7059ddf2ad9349d41dcee33d3f
-
SSDEEP
3072:/23lko29IApHuGPdsNjMb5LjZpTSNLjXTp2zEVZNNSdAXb:/do+FuGPds1cLjLSBjDpUEzNNS+L
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\2895k76 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rt04lto.exe" 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts rt04lto.exe -
Deletes itself 1 IoCs
pid Process 2680 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2972 rt04lto.exe 1628 rt04lto.exe 2872 rt04lto.exe -
Loads dropped DLL 4 IoCs
pid Process 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 2972 rt04lto.exe 2972 rt04lto.exe -
resource yara_rule behavioral1/memory/1900-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0011000000016cd4-11.dat upx behavioral1/memory/1900-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-56-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" Rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\osor.log rt04lto.exe File opened for modification C:\Windows\SysWOW64\osor.log rt04lto.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.app.log Rundll32.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2948 sc.exe 3036 sc.exe 2388 sc.exe 1904 sc.exe 2764 sc.exe 2024 sc.exe 588 sc.exe 2200 sc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main rt04lto.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main rt04lto.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main rt04lto.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 2760 Rundll32.exe Token: SeRestorePrivilege 2760 Rundll32.exe Token: SeRestorePrivilege 2760 Rundll32.exe Token: SeRestorePrivilege 2760 Rundll32.exe Token: SeRestorePrivilege 2760 Rundll32.exe Token: SeRestorePrivilege 2760 Rundll32.exe Token: SeRestorePrivilege 2760 Rundll32.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 2972 rt04lto.exe 2972 rt04lto.exe 2972 rt04lto.exe 1628 rt04lto.exe 1628 rt04lto.exe 1628 rt04lto.exe 2872 rt04lto.exe 2872 rt04lto.exe 2872 rt04lto.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1900 wrote to memory of 2968 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 31 PID 1900 wrote to memory of 2968 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 31 PID 1900 wrote to memory of 2968 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 31 PID 1900 wrote to memory of 2968 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 31 PID 1900 wrote to memory of 2388 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2388 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2388 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2388 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2800 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 34 PID 1900 wrote to memory of 2800 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 34 PID 1900 wrote to memory of 2800 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 34 PID 1900 wrote to memory of 2800 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 34 PID 1900 wrote to memory of 1904 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 35 PID 1900 wrote to memory of 1904 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 35 PID 1900 wrote to memory of 1904 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 35 PID 1900 wrote to memory of 1904 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 35 PID 1900 wrote to memory of 2972 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 39 PID 1900 wrote to memory of 2972 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 39 PID 1900 wrote to memory of 2972 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 39 PID 1900 wrote to memory of 2972 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 39 PID 2968 wrote to memory of 484 2968 net.exe 40 PID 2968 wrote to memory of 484 2968 net.exe 40 PID 2968 wrote to memory of 484 2968 net.exe 40 PID 2968 wrote to memory of 484 2968 net.exe 40 PID 2800 wrote to memory of 2808 2800 net.exe 41 PID 2800 wrote to memory of 2808 2800 net.exe 41 PID 2800 wrote to memory of 2808 2800 net.exe 41 PID 2800 wrote to memory of 2808 2800 net.exe 41 PID 1900 wrote to memory of 2760 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 42 PID 1900 wrote to memory of 2760 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 42 PID 1900 wrote to memory of 2760 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 42 PID 1900 wrote to memory of 2760 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 42 PID 1900 wrote to memory of 2760 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 42 PID 1900 wrote to memory of 2760 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 42 PID 1900 wrote to memory of 2760 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 42 PID 2760 wrote to memory of 2284 2760 Rundll32.exe 43 PID 2760 wrote to memory of 2284 2760 Rundll32.exe 43 PID 2760 wrote to memory of 2284 2760 Rundll32.exe 43 PID 2760 wrote to memory of 2284 2760 Rundll32.exe 43 PID 1900 wrote to memory of 2680 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 44 PID 1900 wrote to memory of 2680 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 44 PID 1900 wrote to memory of 2680 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 44 PID 1900 wrote to memory of 2680 1900 3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe 44 PID 2284 wrote to memory of 3060 2284 runonce.exe 46 PID 2284 wrote to memory of 3060 2284 runonce.exe 46 PID 2284 wrote to memory of 3060 2284 runonce.exe 46 PID 2284 wrote to memory of 3060 2284 runonce.exe 46 PID 2972 wrote to memory of 1732 2972 rt04lto.exe 48 PID 2972 wrote to memory of 1732 2972 rt04lto.exe 48 PID 2972 wrote to memory of 1732 2972 rt04lto.exe 48 PID 2972 wrote to memory of 1732 2972 rt04lto.exe 48 PID 2972 wrote to memory of 2764 2972 rt04lto.exe 49 PID 2972 wrote to memory of 2764 2972 rt04lto.exe 49 PID 2972 wrote to memory of 2764 2972 rt04lto.exe 49 PID 2972 wrote to memory of 2764 2972 rt04lto.exe 49 PID 2972 wrote to memory of 1668 2972 rt04lto.exe 51 PID 2972 wrote to memory of 1668 2972 rt04lto.exe 51 PID 2972 wrote to memory of 1668 2972 rt04lto.exe 51 PID 2972 wrote to memory of 1668 2972 rt04lto.exe 51 PID 2972 wrote to memory of 2024 2972 rt04lto.exe 52 PID 2972 wrote to memory of 2024 2972 rt04lto.exe 52 PID 2972 wrote to memory of 2024 2972 rt04lto.exe 52 PID 2972 wrote to memory of 2024 2972 rt04lto.exe 52 PID 2972 wrote to memory of 1628 2972 rt04lto.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"2⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"3⤵PID:484
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED2⤵
- Launches sc.exe
PID:2388
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"2⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"3⤵PID:2808
-
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED2⤵
- Launches sc.exe
PID:1904
-
-
C:\Users\Admin\AppData\Local\Temp\rt04lto.exeC:\Users\Admin\AppData\Local\Temp\rt04lto.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"3⤵PID:1732
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"4⤵PID:1472
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED3⤵
- Launches sc.exe
PID:2764
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"3⤵PID:1668
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"4⤵PID:2004
-
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED3⤵
- Launches sc.exe
PID:2024
-
-
C:\Users\Admin\AppData\Local\Temp\rt04lto.exeC:\Users\Admin\AppData\Local\Temp\rt04lto.exe -dCBD824CE7ABD459AAE5F83A489CDDBDEE97C2353F694E52C107C166023F592FAAFD38D90077B4B1596E2E34C241ADBF374B7DD35B912D38FA891304C38472D5F531A43ECFAF22FC3B2F3377032C99298AB9C24682091E4E4A517A6CE87732BAD9DCA998B607ECB7B76B02077D013AAFF912CECDF580391A69EBCBBF54B35D564B2A41EB786C438FF99A880D35B9F0A9B6D806464CE3493AE67FCEEB104E5B663F693A5D8F89ECEE00E59772D70EEDC71C3A8FD4E2F0AE45E161B018E6D2994730F703E2C84C927DD0C7C66FCEC7D89CD58E66A2F6927BC2CFF1CF56583457AADE15D393537851CAD0607EF7EEC26BAF9310499B0A8DB9420B8080B83847FB0DB927C29835ED6C571B255F2CECD84589E9333BE875A7525BE1522C38BED40C0FA87CBDE2985CE7C41053B90EF2C328C6004D247FD2AA8685A2B18E0977A03720F642469D07AA6DA7134EE2B08E628BF634764E88A07C697BF50B261C62827D0540F8C1B5C4A18B76FB35A630719189A0963AE90C31E94294B185288DE359922C6AD998659421B2ECD395F1A97202005A29C7D7044DAE9D9A658D6D6B11E11F2E3A2F379C5EE7595CD3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1628 -
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"4⤵PID:1148
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"5⤵PID:2664
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED4⤵
- Launches sc.exe
PID:588
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"4⤵PID:1772
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"5⤵PID:608
-
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED4⤵
- Launches sc.exe
PID:2200
-
-
-
C:\Users\Admin\AppData\Local\Temp\rt04lto.exeC:\Users\Admin\AppData\Local\Temp\rt04lto.exe -dA9BA856F0CCB8F507382775089CD686D3BAE5F2F4E2CDE17C2AE4C3A4395127A374B011C2B5782DCAADE9B34C1FFD2FAC300749C07ACCC90B48D4834DBA4A5D76C259639CBC3826E0D4C490E2AD13A30A19698D463D25E5E08BA2B468E7A770335607F5F416A8E2C9A5C8BD7A96AF29BE15AA490D997350DDDF89EDF611778BAC0D934812362E82C8EC8A9C862B38908D231B0A41CE3327D8F0689EC9A78D902792A6EE54524110F65052D73BB15D173FF9A16A4223A77CCBBB91797BCFC0DD50E622621BCF5CA2DDDB1DF4859D4DC9935856F28206B641F3EEBB03B8E38C3196AA59569DE1B14A2F203C94620E3F9BC83B4938A8BFA9B59348EFD7614ECECB9BC5335893FB82F8BE208330A367ABB6F349D9CAB183EFC61FCB8E7A09334BA83703ABE4BB5F89EA1296EA7C9FFE3F20BD71CE329BCD3A88E320796EA90E79EEF337329905488208B855FEDCE21EFAE7236150163AB6A0028B35175D2D1DE48CCF370AFE87123B76FF21B0E6A818042D161ACCE9D5CD6A6C49CD62C7A59F5AA4EDCE8CA15A2FBA447AEC854D944443E99A4B9645B82827A024AC3A3C66FB2F4F35B0A318DBC27673F3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2872 -
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"4⤵PID:2984
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"5⤵PID:2232
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED4⤵
- Launches sc.exe
PID:2948
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"4⤵PID:2936
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"5⤵PID:2292
-
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED4⤵
- Launches sc.exe
PID:3036
-
-
-
-
C:\Windows\SysWOW64\Rundll32.exeRundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\mdinstall.inf2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r3⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o4⤵PID:3060
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\a2ga3dk8.bat2⤵
- Deletes itself
PID:2680
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218B
MD5bc686b5b5dfc9fe33f1b9298988ffea4
SHA10f4aa7406da22b81e1e8c0413ede8f4d6077e063
SHA256134c6b80d275afa3ab4e52fd85b5cfe4e202fd2b52416c64b6b6a435712d9816
SHA5126b425aad3c7d98083f2e0d0e817939a8617f2a6c89c50a5de942b22945b88a5e80f5fe43425ff2dbdfb83de83b9eb32714070f6abd9d1cdbd5e10f5e97ba6335
-
Filesize
413B
MD5ce1f2d7c8e36f3c085a5d281b9ebeb2f
SHA1bbbfae948d625afe50f66f34282bda3974cfdce5
SHA256312239a5c6333e6d1e8ba9f0e81856c37347be0f21d194741ae1d25538cd130c
SHA51289f69b88bdfb391f58abaefbbae7e393571709c0ea6a268794c035200674ad3a8615a65944373559aead87e8d5ab09f334e2b1563c1bde912aa26a485b76357e
-
Filesize
158KB
MD53b51fab717e281580abca9c62aaa9685
SHA174cd77630ace2fa629405f0665f34f1bb86419c1
SHA2563a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e
SHA51241502d14ccb5c65aa72aaea0f91b4f7defe4f1293fed54d1ce9193d77884cb068943560c07f0118fbe0b92de09fab6cf0b2d1e7059ddf2ad9349d41dcee33d3f