Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13-07-2024 05:55
Static task
static1
Behavioral task
behavioral1
Sample
4072109409ddb0ab1cafe787d8aa63e3_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
4072109409ddb0ab1cafe787d8aa63e3_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
4072109409ddb0ab1cafe787d8aa63e3_JaffaCakes118.exe
-
Size
270KB
-
MD5
4072109409ddb0ab1cafe787d8aa63e3
-
SHA1
c9ef723adcfcc8a0bc4d54159e275f585c295598
-
SHA256
3c735703d8ebe46f9378c6abdda97de7ea440d49fba037e70d76881feae3d404
-
SHA512
6bb348ac8f7eca228ebdc0bf49980c1ee7d9ae866e527aac274c033720cc9838cb374bf81c0ce053fcccb9d63221e1c97116dc39fe5e276157a59ac474c8bad8
-
SSDEEP
6144:Mu2urzh9xu/XkaumeMrUbY+a5XbAwTHnYCHe:Mutrzh9xOXk3W5MwTHYh
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 2544 i.exe 2412 f.exe 2828 cres.exe 2240 mtvdemd.exe 2776 hpwebregUI.exe -
Loads dropped DLL 9 IoCs
pid Process 2572 4072109409ddb0ab1cafe787d8aa63e3_JaffaCakes118.exe 2544 i.exe 2544 i.exe 2544 i.exe 2544 i.exe 2412 f.exe 2412 f.exe 2240 mtvdemd.exe 2240 mtvdemd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\© Microsoft Real Time Media Stack = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\mtvdemd.exe" mtvdemd.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2412 set thread context of 2812 2412 f.exe 33 PID 2776 set thread context of 2660 2776 hpwebregUI.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2412 f.exe 2240 mtvdemd.exe 2776 hpwebregUI.exe 2412 f.exe 2240 mtvdemd.exe 2776 hpwebregUI.exe 2412 f.exe 2240 mtvdemd.exe 2776 hpwebregUI.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2412 f.exe 2240 mtvdemd.exe 2776 hpwebregUI.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2412 f.exe 2240 mtvdemd.exe 2776 hpwebregUI.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2412 f.exe 2240 mtvdemd.exe 2776 hpwebregUI.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2412 f.exe 2240 mtvdemd.exe 2776 hpwebregUI.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2412 f.exe 2240 mtvdemd.exe 2776 hpwebregUI.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2412 f.exe 2240 mtvdemd.exe 2776 hpwebregUI.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2412 f.exe 2240 mtvdemd.exe 2776 hpwebregUI.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2812 AppLaunch.exe 2412 f.exe 2240 mtvdemd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2412 f.exe Token: SeDebugPrivilege 2240 mtvdemd.exe Token: SeDebugPrivilege 2776 hpwebregUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2572 wrote to memory of 2544 2572 4072109409ddb0ab1cafe787d8aa63e3_JaffaCakes118.exe 30 PID 2572 wrote to memory of 2544 2572 4072109409ddb0ab1cafe787d8aa63e3_JaffaCakes118.exe 30 PID 2572 wrote to memory of 2544 2572 4072109409ddb0ab1cafe787d8aa63e3_JaffaCakes118.exe 30 PID 2572 wrote to memory of 2544 2572 4072109409ddb0ab1cafe787d8aa63e3_JaffaCakes118.exe 30 PID 2572 wrote to memory of 2544 2572 4072109409ddb0ab1cafe787d8aa63e3_JaffaCakes118.exe 30 PID 2572 wrote to memory of 2544 2572 4072109409ddb0ab1cafe787d8aa63e3_JaffaCakes118.exe 30 PID 2572 wrote to memory of 2544 2572 4072109409ddb0ab1cafe787d8aa63e3_JaffaCakes118.exe 30 PID 2544 wrote to memory of 2412 2544 i.exe 31 PID 2544 wrote to memory of 2412 2544 i.exe 31 PID 2544 wrote to memory of 2412 2544 i.exe 31 PID 2544 wrote to memory of 2412 2544 i.exe 31 PID 2544 wrote to memory of 2412 2544 i.exe 31 PID 2544 wrote to memory of 2412 2544 i.exe 31 PID 2544 wrote to memory of 2412 2544 i.exe 31 PID 2544 wrote to memory of 2828 2544 i.exe 32 PID 2544 wrote to memory of 2828 2544 i.exe 32 PID 2544 wrote to memory of 2828 2544 i.exe 32 PID 2544 wrote to memory of 2828 2544 i.exe 32 PID 2544 wrote to memory of 2828 2544 i.exe 32 PID 2544 wrote to memory of 2828 2544 i.exe 32 PID 2544 wrote to memory of 2828 2544 i.exe 32 PID 2412 wrote to memory of 2812 2412 f.exe 33 PID 2412 wrote to memory of 2812 2412 f.exe 33 PID 2412 wrote to memory of 2812 2412 f.exe 33 PID 2412 wrote to memory of 2812 2412 f.exe 33 PID 2412 wrote to memory of 2812 2412 f.exe 33 PID 2412 wrote to memory of 2812 2412 f.exe 33 PID 2412 wrote to memory of 2812 2412 f.exe 33 PID 2412 wrote to memory of 2812 2412 f.exe 33 PID 2412 wrote to memory of 2812 2412 f.exe 33 PID 2412 wrote to memory of 2812 2412 f.exe 33 PID 2412 wrote to memory of 2812 2412 f.exe 33 PID 2412 wrote to memory of 2812 2412 f.exe 33 PID 2412 wrote to memory of 2812 2412 f.exe 33 PID 2412 wrote to memory of 2812 2412 f.exe 33 PID 2412 wrote to memory of 2812 2412 f.exe 33 PID 2412 wrote to memory of 2240 2412 f.exe 34 PID 2412 wrote to memory of 2240 2412 f.exe 34 PID 2412 wrote to memory of 2240 2412 f.exe 34 PID 2412 wrote to memory of 2240 2412 f.exe 34 PID 2412 wrote to memory of 2240 2412 f.exe 34 PID 2412 wrote to memory of 2240 2412 f.exe 34 PID 2412 wrote to memory of 2240 2412 f.exe 34 PID 2240 wrote to memory of 2776 2240 mtvdemd.exe 35 PID 2240 wrote to memory of 2776 2240 mtvdemd.exe 35 PID 2240 wrote to memory of 2776 2240 mtvdemd.exe 35 PID 2240 wrote to memory of 2776 2240 mtvdemd.exe 35 PID 2240 wrote to memory of 2776 2240 mtvdemd.exe 35 PID 2240 wrote to memory of 2776 2240 mtvdemd.exe 35 PID 2240 wrote to memory of 2776 2240 mtvdemd.exe 35 PID 2776 wrote to memory of 2660 2776 hpwebregUI.exe 36 PID 2776 wrote to memory of 2660 2776 hpwebregUI.exe 36 PID 2776 wrote to memory of 2660 2776 hpwebregUI.exe 36 PID 2776 wrote to memory of 2660 2776 hpwebregUI.exe 36 PID 2776 wrote to memory of 2660 2776 hpwebregUI.exe 36 PID 2776 wrote to memory of 2660 2776 hpwebregUI.exe 36 PID 2776 wrote to memory of 2660 2776 hpwebregUI.exe 36 PID 2776 wrote to memory of 2660 2776 hpwebregUI.exe 36 PID 2776 wrote to memory of 2660 2776 hpwebregUI.exe 36 PID 2776 wrote to memory of 2660 2776 hpwebregUI.exe 36 PID 2776 wrote to memory of 2660 2776 hpwebregUI.exe 36 PID 2776 wrote to memory of 2660 2776 hpwebregUI.exe 36 PID 2776 wrote to memory of 2660 2776 hpwebregUI.exe 36 PID 2776 wrote to memory of 2660 2776 hpwebregUI.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\4072109409ddb0ab1cafe787d8aa63e3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4072109409ddb0ab1cafe787d8aa63e3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\i.exe"C:\Users\Admin\AppData\Local\Temp\i.exe" -pwr2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\f.exe"C:\Users\Admin\AppData\Local\Temp\f.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\System\mtvdemd.exe"C:\Users\Admin\AppData\Local\Temp\System\mtvdemd.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\System\hpwebregUI.exe"C:\Users\Admin\AppData\Local\Temp\System\hpwebregUI.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe6⤵PID:2660
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cres.exe"C:\Users\Admin\AppData\Local\Temp\cres.exe"3⤵
- Executes dropped EXE
PID:2828
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29B
MD5ec9052e9224909cc2e9f3b747f67f035
SHA13b4ffbcb01d72019b4764fe27111e92b8a16994c
SHA2560e9375ffc04e965382764e8357b27ec8fd1869cc43c25b2e5cefa90443cffbdc
SHA512ff114b6d86ea202d275cb9eeef511e4b9875e24160f09d499ef164089992a4ec0981bb3411e9c759ac9bc7c35395ec44029b426ef97ab96b8d8281af4c3102ad
-
Filesize
52KB
MD56b7c453e06409a09412d053a7bfc2bfc
SHA1e85e053dfacfa64a9a9a64c517fd7bc2915c73c5
SHA256fc40dc24916ebaa3c675182e3d9d8a0febc6c76ec064b94851ca48400a3f5fd0
SHA512e782be26f9588b2eb1bae679631e989730b444406cbe47df4d9572e7dc56b10eb1b9b53cdd002d33523e63ac9da9019935c690773b5c682b090a57f824969644
-
Filesize
44KB
MD592b17a287372d30c13ab35ec5a178230
SHA118aa23ee6177575fc361c362c3bcaea9c87776a1
SHA256681c3d24791e6541514d20e0856d9c255914fca0f31afded78b554660a4e77a7
SHA5125b457705efd80066d34a53c7717f8d0116d6449df105732fc3451b4909a3f0f3cfc0248637a04e4f2cd12c07b883fdb1a91939afbea4f481164e3030859badc3
-
Filesize
147KB
MD50a3f22eb5305a481db76e7657e9f3ee0
SHA1b2f3844bc47ae6ac9c2d39487c92d74305420c64
SHA256c9d0ddbd5a5727cc68b62a507917c2b4c385bc914802fdf3c16d251d490e0a8b
SHA5125ce02a995cc09b8f2b824a2b3260183bec01f33851dd96cd6ff6e13ce07c642849489d5920af33c402c08b1d320db8ba4ba3f6d3eb3987e22dcfd1921f71ebd8
-
Filesize
222KB
MD5b1a32307a0e88a40aba2ff85b219dd5c
SHA15c895e531bb65767e5681fcc9083d0fd0aa354da
SHA25602556631ad7475e127b1f19d5b84aeb3f5acdf9de829f0ac06f0d030833bfd23
SHA5120a3f9b37e88f3c2a3edad3e606cd264f509f6c4c2ea40f292fcb89522403b47db933ca1c8a6b722c4114b62c98cd3908f0a7c11fa521e838cadc53e4732ea6ea