Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 20:48
Static task
static1
Behavioral task
behavioral1
Sample
4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe
-
Size
168KB
-
MD5
4b55e8dc211849b0e9d4330c5ae3b191
-
SHA1
73e5cb231046caf00182fdfd4c4aaa6146f8d928
-
SHA256
1e856634f70889b7bced2952a5252cc4a8f0ccccad55cfb9c3e6a6d367abfa99
-
SHA512
a577f29953beea07650dd626d7a794086acfe124db43a863b85fd9dd1f91a14eb7c340c13bf5b756cf369b6f891227e6d3d1bafbfbbc1f91c1fa7e2174800739
-
SSDEEP
3072:ww4JqKlzNAk9JuB/RVgU974KlGro2UWQRtgxC6c3ovNRdNUirqSmF7Nv5L:ww2qKZNAYmVJ974KlGM/g46cYVWimF7T
Malware Config
Signatures
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe a60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "services.exe" a60.exe -
Executes dropped EXE 3 IoCs
pid Process 2664 QvodSetupPlus3.exe 2956 a60.exe 1740 ~25946771.exe -
Loads dropped DLL 8 IoCs
pid Process 2308 4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe 2308 4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe 2308 4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe 2664 QvodSetupPlus3.exe 2664 QvodSetupPlus3.exe 2664 QvodSetupPlus3.exe 2956 a60.exe 2956 a60.exe -
resource yara_rule behavioral1/files/0x000a0000000120f9-3.dat upx behavioral1/memory/2664-11-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/files/0x0009000000016d49-18.dat upx behavioral1/memory/2956-20-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2664-23-0x0000000000240000-0x0000000000297000-memory.dmp upx behavioral1/memory/2664-28-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2956-29-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2664-30-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2956-31-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2664-32-0x0000000000240000-0x0000000000297000-memory.dmp upx behavioral1/memory/2664-46-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2956-47-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2664-70-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2664-74-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2664-78-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2664-80-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2664-84-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2664-88-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2664-90-0x0000000000400000-0x0000000000457000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Windows\\system32\\xdmW8.exe" a60.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\xdmW8.exe a60.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2956 a60.exe 2956 a60.exe 2956 a60.exe 2956 a60.exe 2956 a60.exe 2956 a60.exe 2956 a60.exe 2956 a60.exe 2956 a60.exe 2956 a60.exe 1740 ~25946771.exe 1740 ~25946771.exe 1740 ~25946771.exe 1740 ~25946771.exe 1740 ~25946771.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 472 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2956 a60.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2664 QvodSetupPlus3.exe 2664 QvodSetupPlus3.exe 2664 QvodSetupPlus3.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2664 QvodSetupPlus3.exe 2664 QvodSetupPlus3.exe 2664 QvodSetupPlus3.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2664 2308 4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2664 2308 4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2664 2308 4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2664 2308 4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2664 2308 4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2664 2308 4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2664 2308 4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2956 2308 4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe 32 PID 2308 wrote to memory of 2956 2308 4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe 32 PID 2308 wrote to memory of 2956 2308 4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe 32 PID 2308 wrote to memory of 2956 2308 4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe 32 PID 2956 wrote to memory of 1740 2956 a60.exe 33 PID 2956 wrote to memory of 1740 2956 a60.exe 33 PID 2956 wrote to memory of 1740 2956 a60.exe 33 PID 2956 wrote to memory of 1740 2956 a60.exe 33 PID 1740 wrote to memory of 3056 1740 ~25946771.exe 34 PID 1740 wrote to memory of 3056 1740 ~25946771.exe 34 PID 1740 wrote to memory of 3056 1740 ~25946771.exe 34 PID 1740 wrote to memory of 3056 1740 ~25946771.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4b55e8dc211849b0e9d4330c5ae3b191_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe"C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\a60.exe"C:\Users\Admin\AppData\Local\Temp\a60.exe"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\~25946771.exeC:\Users\Admin\AppData\Local\Temp\~25946771.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\cmd.execmd4⤵PID:3056
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD59cef033d5f586f0154f4c747084ac25d
SHA1260646034bfb96457708653620e5261b7d25a486
SHA256e27b4efab9feda159ed0d298eb9774bf3f6624542d30f5ce6a912fa84638afc7
SHA512414e0af552a7b0f6507933146596d7b0cd464c8d74ddc3817d2cb0ea1f15581602709cfefc1d36cd3adac412a0cd2c7978501d17e1b1851922dd05868c8848bb
-
Filesize
149KB
MD5a3de6c880f4fbe1c2fdae63bed2587c5
SHA1d24408ca4349f83b66409e773fab10863469a1f6
SHA256eae20a59c483e08d98b03e9367af8069ae78133240f0ad73077db1f5f63c1e39
SHA512218523a61e1cb2da1e2f92170965bcb51f3dc006365be606cd3d19fe8abe54c6c59674c161febdeacdc0fa8974a5ed1bfe00471c1762184026646cbc9881d12e
-
Filesize
8KB
MD5c6c7e10384a8d07df2588da86a857160
SHA173047c38834cedda3d2967849476bde1a4d965fc
SHA25609419aead4bce3dc42c0ddc8e3f68e6aa9b06f8fe75191c4cc2bb26a6fb5a826
SHA51242fa0fdf9f88b714035e75090fff5b82586efe6b07939c1753c9fd68b9209f061967c8d5fa4062955886b4592d61e09b3a71b747de9269b70b6f03fe78104f28