Analysis
-
max time kernel
124s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/07/2024, 20:49
Behavioral task
behavioral1
Sample
6158720bfc439609053c95d524e7041e_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
General
-
Target
6158720bfc439609053c95d524e7041e_JaffaCakes118.exe
-
Size
160KB
-
MD5
6158720bfc439609053c95d524e7041e
-
SHA1
7a795971cd8584ad483fcc4c140469aa1597d09b
-
SHA256
156170abc23f94a22e2f7ad9601c649c93496b6046f75ed830e998b64f1da808
-
SHA512
305cce68bcb107de927ac7bb262013f1ad1d860fa9e14d3ed50166a53c53b9ed33b809d3ab137094e22811091e1e07d36ba0cdd6978b5b7958601fc7d24203e8
-
SSDEEP
3072:ajzs49wvo/4n0sJI26Gb1rTSb6DmWy5DjkXv9B:so4WVO15+DtK+vD
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2984-0-0x0000000000400000-0x000000000044E000-memory.dmp upx behavioral1/memory/2984-80-0x0000000000400000-0x000000000044E000-memory.dmp upx -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\H: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\I: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\K: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\L: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\O: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\Q: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\U: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\T: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\V: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\E: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\M: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\N: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\P: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\R: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\S: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\W: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\X: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\G: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\J: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened (read-only) \??\Z: 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe -
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\svchost.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\dllhost.vir 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\searchindexer.vir 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\svchost.vir 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\dllhost.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\msiexec.vir 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D91FAE1C-F8AE-4160-BD7E-073538D37602}.crmlog dllhost.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D91FAE1C-F8AE-4160-BD7E-073538D37602}.crmlog dllhost.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\ehome\ehsched.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2984 6158720bfc439609053c95d524e7041e_JaffaCakes118.exe Token: SeRestorePrivilege 2864 msiexec.exe Token: SeTakeOwnershipPrivilege 2864 msiexec.exe Token: SeSecurityPrivilege 2864 msiexec.exe Token: SeManageVolumePrivilege 2880 SearchIndexer.exe Token: 33 2880 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2880 SearchIndexer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1908 SearchProtocolHost.exe 1908 SearchProtocolHost.exe 1908 SearchProtocolHost.exe 1908 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2880 wrote to memory of 1908 2880 SearchIndexer.exe 34 PID 2880 wrote to memory of 1908 2880 SearchIndexer.exe 34 PID 2880 wrote to memory of 1908 2880 SearchIndexer.exe 34 PID 2880 wrote to memory of 860 2880 SearchIndexer.exe 35 PID 2880 wrote to memory of 860 2880 SearchIndexer.exe 35 PID 2880 wrote to memory of 860 2880 SearchIndexer.exe 35 PID 2880 wrote to memory of 1308 2880 SearchIndexer.exe 36 PID 2880 wrote to memory of 1308 2880 SearchIndexer.exe 36 PID 2880 wrote to memory of 1308 2880 SearchIndexer.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\6158720bfc439609053c95d524e7041e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6158720bfc439609053c95d524e7041e_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Drops file in Windows directory
PID:2936
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Suspicious use of SetWindowsHookEx
PID:1908
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 5162⤵PID:860
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 5162⤵PID:1308
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD5914ccd5abf3969f3b7a886c57cec5202
SHA1db8e5f8c1f038a8f3401b49d2ea394f3995ec18d
SHA2561125a4e1266c297122c7341938776ad9a5bbf782e2dfd2db7589787fcda31d30
SHA5120207b8db600c0eb47b46f663f9eeb09db5c71fab34e5221b4611413a7a19629821986da37c2ff5cb06997c09df220be59cec4d0e1cdaf567f082c89782056a77