Analysis
-
max time kernel
141s -
max time network
89s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 21:28
Static task
static1
Behavioral task
behavioral1
Sample
75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe
-
Size
287KB
-
MD5
75ccb1d6acda4c4e3699e113ec85c6b1
-
SHA1
46601487f59c2541c3a2261d30d7f02934cee2f9
-
SHA256
09d06214b4129bf23f0ee0001011136c6b786de60ab46c47cc25273407d14703
-
SHA512
a087b09ef205b8c99bbd66aa77feefd017ddc8300b9abacb625a82bbf4d387198eb24f96ef9f9fb204d153c61b2b8a15d5810a43e4d35b3bbaa726f51c4275cd
-
SSDEEP
6144:fXA0P+lWaNXBr9YwrfhcS5Q7Uc8Fa8UgZflBMElhMmX4eR0s:j+7NXBr+wr5WQcca8UgZlBMElTGs
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
7CED.tmppid process 3040 7CED.tmp -
Loads dropped DLL 2 IoCs
Processes:
75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exepid process 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1712-1-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/1712-2-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1712-7-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2488-9-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2488-10-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/1712-131-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1140-133-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1140-135-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1712-136-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/1712-277-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1712-331-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\86F.exe = "C:\\Program Files (x86)\\LP\\2E48\\86F.exe" 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
Processes:
75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\LP\2E48\86F.exe 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\2E48\86F.exe 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\2E48\7CED.tmp 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe7CED.tmp75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7CED.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exepid process 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1048 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
msiexec.exeexplorer.exeAUDIODG.EXEdescription pid process Token: SeRestorePrivilege 2252 msiexec.exe Token: SeTakeOwnershipPrivilege 2252 msiexec.exe Token: SeSecurityPrivilege 2252 msiexec.exe Token: SeShutdownPrivilege 1048 explorer.exe Token: SeShutdownPrivilege 1048 explorer.exe Token: SeShutdownPrivilege 1048 explorer.exe Token: SeShutdownPrivilege 1048 explorer.exe Token: SeShutdownPrivilege 1048 explorer.exe Token: SeShutdownPrivilege 1048 explorer.exe Token: SeShutdownPrivilege 1048 explorer.exe Token: SeShutdownPrivilege 1048 explorer.exe Token: SeShutdownPrivilege 1048 explorer.exe Token: SeShutdownPrivilege 1048 explorer.exe Token: 33 588 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 588 AUDIODG.EXE Token: 33 588 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 588 AUDIODG.EXE Token: SeShutdownPrivilege 1048 explorer.exe Token: SeShutdownPrivilege 1048 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe 1048 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exedescription pid process target process PID 1712 wrote to memory of 2488 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe PID 1712 wrote to memory of 2488 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe PID 1712 wrote to memory of 2488 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe PID 1712 wrote to memory of 2488 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe PID 1712 wrote to memory of 1140 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe PID 1712 wrote to memory of 1140 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe PID 1712 wrote to memory of 1140 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe PID 1712 wrote to memory of 1140 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe PID 1712 wrote to memory of 3040 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 7CED.tmp PID 1712 wrote to memory of 3040 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 7CED.tmp PID 1712 wrote to memory of 3040 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 7CED.tmp PID 1712 wrote to memory of 3040 1712 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe 7CED.tmp -
System policy modification 1 TTPs 2 IoCs
Processes:
75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\89593\9A72E.exe%C:\Users\Admin\AppData\Roaming\895932⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\75ccb1d6acda4c4e3699e113ec85c6b1_JaffaCakes118.exe startC:\Program Files (x86)\93C22\lvvm.exe%C:\Program Files (x86)\93C222⤵
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Program Files (x86)\LP\2E48\7CED.tmp"C:\Program Files (x86)\LP\2E48\7CED.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3040
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1048
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5901⤵
- Suspicious use of AdjustPrivilegeToken
PID:588
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300B
MD50199a5229e0d13c359c0b3ae3322b670
SHA1b1cdfc09f18b30d4ff9de520095a468eddf8f815
SHA2567062c7d382a85004c538a34e9b75258f9e8202d47c8a97e60826894defba6f7f
SHA512e713ace9c35ccbd1e183cebfe63cdc1648a8218e461cdcbca43891682c964956b37ed77d73e57e175d13730a6338ec6d88203286a1cebf7ab1771d89acac59f3
-
Filesize
696B
MD5566b016d646e76a72f7af5fff35ac587
SHA1fdf58522e8c555a73ea3b6e5cf242e3453aa182c
SHA25698d654120b75f634ec5d36b3d35b93454db99b9d1c5ae8d96f1b62d50e3f45d5
SHA5121d91f1a123f50f1d68b4326bbc67f863705a7df89c0600e89de18bad32e2a2a4e20406ecc0bc00f062ca50b6046a95f6c926eeb42542d2e823eef01929a3c17e
-
Filesize
1KB
MD551b2977a3bbdd55fdd68c18c4247ceb1
SHA180e6282f222a9585bc335f8b54395513928a7391
SHA25620db9f9c59dac8d4656ba28f356d5afba33dc9615405516c4299e1db4c381d0f
SHA5127d05ac2f42103a8b58c61c938c0bd15f435beff26b801b140d84100f095e3f6995b187e7f491179cf20f8291f160f2dc242bc807eddb85eba46e60dd9a6a0d81
-
Filesize
1KB
MD5d8c61c6b5288c9d944842f1749a5e129
SHA18e2b1a598dabb76ca7352efb0a4799767362b471
SHA2564c88de8448e751653a3f09cacc3bdd947e1bf80cae2424bdbfeeafc23ccd587b
SHA512db12869542f93b783c0854d793143c19c7e894792045b9b003cc882842eb249a5b08c41b97ca19c0d2a9181c24335dc67e599a8c5bde08b58df679d2f57f901a
-
Filesize
102KB
MD557401a2069d022a5dc6ffee91de43906
SHA16e2850bde22f345739bf32031b2c2fb8850e0185
SHA2569792c1645ecabeb90e2a61eb8a34ff0aa685eea55d61cbe47a667a3aca7e437b
SHA512f4498f1ccf80bfd305f2b312e6e09b68271f1468cb3505120539bae7cf72a66609a5fcbd66ed5274fb466fa2c3dc13cf61f83ad3105303c333f19f696c3c96aa