Analysis
-
max time kernel
142s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13/07/2024, 07:21
Static task
static1
Behavioral task
behavioral1
Sample
40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe
-
Size
304KB
-
MD5
40b69dd3c676f456ed9b34a5ad63fac9
-
SHA1
054c70b1dc8b1ab2dfa8b210193224172c576ea3
-
SHA256
636f7f4de52f1f1688988661dbced1e8f5c311fb981fa40439627cf1a451dca2
-
SHA512
85b9814d50acf0557d70c6f31ad060c35a7c733f4f8a171536bcd23815020b996c89a5f6abeb12956d93e3c422b63b68c44920de86ce8e308fa7aca3435f8166
-
SSDEEP
6144:6K5f2kaSemapKd4gFoQcySrVNWn0CAypTU77ev7wdbnr7BvxXxboZUVNV:hd2lSefpsxqn3rVHBy+qy3BphbvVD
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2640 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2260 svchost.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\tasks\svchost.exe 40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe File opened for modification C:\Windows\tasks\svchost.exe 40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe File created C:\Windows\004A0AAF.BAT 40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2356 40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe Token: SeDebugPrivilege 2260 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2260 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2640 2356 40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe 31 PID 2356 wrote to memory of 2640 2356 40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe 31 PID 2356 wrote to memory of 2640 2356 40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe 31 PID 2356 wrote to memory of 2640 2356 40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\40b69dd3c676f456ed9b34a5ad63fac9_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\004A0AAF.BAT2⤵
- Deletes itself
PID:2640
-
-
C:\Windows\tasks\svchost.exeC:\Windows\tasks\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2260
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218B
MD5fe775196282138480a2d0dc970a4a9e5
SHA119a37c54ac243c7f6b9e4a5a8d1064b4b6939346
SHA2560c7825d53c5b514fd3e378afd61b4c9e0c7762ac49705e34be9ff8b9b5dd96b9
SHA512d534ae40dd1af9fd7382e981a1a4b276cba4655d0625f3d46b9fedd1da0572c622b8de37abc9fc10d3ca61116bf6ec1e46630efc615ff6747c800d33df3357b7
-
Filesize
304KB
MD540b69dd3c676f456ed9b34a5ad63fac9
SHA1054c70b1dc8b1ab2dfa8b210193224172c576ea3
SHA256636f7f4de52f1f1688988661dbced1e8f5c311fb981fa40439627cf1a451dca2
SHA51285b9814d50acf0557d70c6f31ad060c35a7c733f4f8a171536bcd23815020b996c89a5f6abeb12956d93e3c422b63b68c44920de86ce8e308fa7aca3435f8166