Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
12/07/2024, 18:19
Static task
static1
Behavioral task
behavioral1
Sample
3e606f9cc7d1ad42a494dd45915e775b_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3e606f9cc7d1ad42a494dd45915e775b_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3e606f9cc7d1ad42a494dd45915e775b_JaffaCakes118.exe
-
Size
369KB
-
MD5
3e606f9cc7d1ad42a494dd45915e775b
-
SHA1
7d69b27e01ef6867bb1768c9d9cec4952d9c5db5
-
SHA256
aa701d51320728ed35f6c33dbf83d5c37c529189b7356ddb018cbce95408b9c4
-
SHA512
4b60f02d7493970b5d1d55aa1ac49c9d5fd527e56a0e949a57526201ba572eee19060dd8129a5b8e1872eb8a653d14481f8d45ad9227037932824be8c2b2a642
-
SSDEEP
6144:iYvlkt9yLZ/oZJJsiYlLgvbtd8HNME8iTtvfWeXM7ISt6/lVIHnByMhJ9k2y:DrLxopsiYlAbtd8ZZljSGPIHBLhbpy
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2672 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2556 khtksqpv.exe -
Loads dropped DLL 3 IoCs
pid Process 2672 cmd.exe 2672 cmd.exe 2556 khtksqpv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2696 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2916 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2696 taskkill.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe 2556 khtksqpv.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2752 wrote to memory of 2672 2752 3e606f9cc7d1ad42a494dd45915e775b_JaffaCakes118.exe 30 PID 2752 wrote to memory of 2672 2752 3e606f9cc7d1ad42a494dd45915e775b_JaffaCakes118.exe 30 PID 2752 wrote to memory of 2672 2752 3e606f9cc7d1ad42a494dd45915e775b_JaffaCakes118.exe 30 PID 2752 wrote to memory of 2672 2752 3e606f9cc7d1ad42a494dd45915e775b_JaffaCakes118.exe 30 PID 2672 wrote to memory of 2696 2672 cmd.exe 32 PID 2672 wrote to memory of 2696 2672 cmd.exe 32 PID 2672 wrote to memory of 2696 2672 cmd.exe 32 PID 2672 wrote to memory of 2696 2672 cmd.exe 32 PID 2672 wrote to memory of 2916 2672 cmd.exe 34 PID 2672 wrote to memory of 2916 2672 cmd.exe 34 PID 2672 wrote to memory of 2916 2672 cmd.exe 34 PID 2672 wrote to memory of 2916 2672 cmd.exe 34 PID 2672 wrote to memory of 2556 2672 cmd.exe 35 PID 2672 wrote to memory of 2556 2672 cmd.exe 35 PID 2672 wrote to memory of 2556 2672 cmd.exe 35 PID 2672 wrote to memory of 2556 2672 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e606f9cc7d1ad42a494dd45915e775b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3e606f9cc7d1ad42a494dd45915e775b_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2752 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3e606f9cc7d1ad42a494dd45915e775b_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\khtksqpv.exe -f2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 27523⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:2916
-
-
C:\Users\Admin\AppData\Local\khtksqpv.exeC:\Users\Admin\AppData\Local\khtksqpv.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2556
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
369KB
MD53e606f9cc7d1ad42a494dd45915e775b
SHA17d69b27e01ef6867bb1768c9d9cec4952d9c5db5
SHA256aa701d51320728ed35f6c33dbf83d5c37c529189b7356ddb018cbce95408b9c4
SHA5124b60f02d7493970b5d1d55aa1ac49c9d5fd527e56a0e949a57526201ba572eee19060dd8129a5b8e1872eb8a653d14481f8d45ad9227037932824be8c2b2a642