Analysis
-
max time kernel
148s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 22:56
Static task
static1
Behavioral task
behavioral1
Sample
761533a58e9678720bd218b10e943d80_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
761533a58e9678720bd218b10e943d80_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
761533a58e9678720bd218b10e943d80_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
761533a58e9678720bd218b10e943d80
-
SHA1
f3d4c60f04e96aa3f9b6227ce60d1c87eff51058
-
SHA256
873becc2d2a5b3c84ab132a7b677088a5e92a72bbe0883861513f5e786e6b9c2
-
SHA512
84633493280ac2adcb89c718a1b7b9dfccbe74db03f4058d24a0ae2099bb53c74835e3ca47ce71fc0af181484eab097b73085adf2cac1e9872c148dc4d182405
-
SSDEEP
24576:l39ZDtTS7od7341D2+jjqBicDSdwAO3BECoRWz5smhqzxGkdNrAQDEyYECMrU1y:l3dh73WD2IcicDsZO3BjwG5h+dJfr
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
Cloud AV 2012v121.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Cloud AV 2012v121.exe -
Executes dropped EXE 2 IoCs
Processes:
Cloud AV 2012v121.exeCloud AV 2012v121.exepid process 3304 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe -
Processes:
resource yara_rule behavioral2/memory/3256-1-0x0000000000400000-0x0000000000914000-memory.dmp upx behavioral2/memory/3256-2-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral2/memory/3256-7-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral2/memory/3256-8-0x0000000000400000-0x0000000000914000-memory.dmp upx behavioral2/memory/3304-11-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral2/memory/3304-17-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral2/memory/2724-19-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral2/memory/2724-84-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral2/memory/2724-101-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral2/memory/2724-121-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral2/memory/2724-143-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral2/memory/2724-177-0x0000000000400000-0x0000000000917000-memory.dmp upx behavioral2/memory/2724-221-0x0000000000400000-0x0000000000917000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
761533a58e9678720bd218b10e943d80_JaffaCakes118.exeCloud AV 2012v121.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LlBtzP0ySi3na6W8234A = "C:\\Windows\\system32\\Cloud AV 2012v121.exe" 761533a58e9678720bd218b10e943d80_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a1uvD2obFpHsJdL8234A = "C:\\Users\\Admin\\AppData\\Roaming\\UcSiD3nG4Q6\\Cloud AV 2012v121.exe" Cloud AV 2012v121.exe -
Drops file in System32 directory 2 IoCs
Processes:
761533a58e9678720bd218b10e943d80_JaffaCakes118.exeCloud AV 2012v121.exedescription ioc process File created C:\Windows\SysWOW64\Cloud AV 2012v121.exe 761533a58e9678720bd218b10e943d80_JaffaCakes118.exe File created C:\Windows\SysWOW64\Cloud AV 2012v121.exe Cloud AV 2012v121.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
761533a58e9678720bd218b10e943d80_JaffaCakes118.exeCloud AV 2012v121.exeCloud AV 2012v121.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 761533a58e9678720bd218b10e943d80_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cloud AV 2012v121.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cloud AV 2012v121.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Cloud AV 2012v121.exeCloud AV 2012v121.exepid process 3304 Cloud AV 2012v121.exe 3304 Cloud AV 2012v121.exe 3304 Cloud AV 2012v121.exe 3304 Cloud AV 2012v121.exe 3304 Cloud AV 2012v121.exe 3304 Cloud AV 2012v121.exe 3304 Cloud AV 2012v121.exe 3304 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 4020 msiexec.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Cloud AV 2012v121.exepid process 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Cloud AV 2012v121.exepid process 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
761533a58e9678720bd218b10e943d80_JaffaCakes118.exeCloud AV 2012v121.exeCloud AV 2012v121.exepid process 3256 761533a58e9678720bd218b10e943d80_JaffaCakes118.exe 3304 Cloud AV 2012v121.exe 3304 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe 2724 Cloud AV 2012v121.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
761533a58e9678720bd218b10e943d80_JaffaCakes118.exeCloud AV 2012v121.exedescription pid process target process PID 3256 wrote to memory of 3304 3256 761533a58e9678720bd218b10e943d80_JaffaCakes118.exe Cloud AV 2012v121.exe PID 3256 wrote to memory of 3304 3256 761533a58e9678720bd218b10e943d80_JaffaCakes118.exe Cloud AV 2012v121.exe PID 3256 wrote to memory of 3304 3256 761533a58e9678720bd218b10e943d80_JaffaCakes118.exe Cloud AV 2012v121.exe PID 3304 wrote to memory of 2724 3304 Cloud AV 2012v121.exe Cloud AV 2012v121.exe PID 3304 wrote to memory of 2724 3304 Cloud AV 2012v121.exe Cloud AV 2012v121.exe PID 3304 wrote to memory of 2724 3304 Cloud AV 2012v121.exe Cloud AV 2012v121.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\761533a58e9678720bd218b10e943d80_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\761533a58e9678720bd218b10e943d80_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Cloud AV 2012v121.exeC:\Windows\system32\Cloud AV 2012v121.exe 5985C:\Users\Admin\AppData\Local\Temp\761533a58e9678720bd218b10e943d80_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Users\Admin\AppData\Roaming\UcSiD3nG4Q6\Cloud AV 2012v121.exeC:\Users\Admin\AppData\Roaming\UcSiD3nG4Q6\Cloud AV 2012v121.exe 5985C:\Windows\SysWOW64\Cloud AV 2012v121.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2724
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
612B
MD53e4bafe050d74564309e67950a1c836d
SHA19b7f5c7266c54c22af1433f7a5a0c8a3baa80bd0
SHA2569747f345fed40a47ad9f2507dc3e240fad1669a030e600a2fe8ad95ed71177d3
SHA51217762d9820153dbcb9aa649274fe5eebe894dd5753490e298cbf2285a7c76d31da285635f5a83e495c3056f619985938acc56488d2eb64c1b76b24c399ba76f2
-
Filesize
1KB
MD5098c7f5db223cd68dbe5c053a5359295
SHA1de64ef27bff9eb0a44d9693ffe654c0f961e0f2c
SHA2567685dfebe8261e3a3934dcb83d9ededdfa75bab0ca1fae4cfb4b09da3a4b037f
SHA51239edfa26dc3cf563eeb5434d6e69cb211708be149611597c0d9dfeb454c4cd55a6f43312559e21613140c2a529ddc99ee7d3cbe4385c7ff9da47f01242356b2c
-
Filesize
1.9MB
MD5761533a58e9678720bd218b10e943d80
SHA1f3d4c60f04e96aa3f9b6227ce60d1c87eff51058
SHA256873becc2d2a5b3c84ab132a7b677088a5e92a72bbe0883861513f5e786e6b9c2
SHA51284633493280ac2adcb89c718a1b7b9dfccbe74db03f4058d24a0ae2099bb53c74835e3ca47ce71fc0af181484eab097b73085adf2cac1e9872c148dc4d182405
-
Filesize
1KB
MD5f39b39afb13a3a66e9c63df6215d56fa
SHA16f4ae5303ab0930a50ab76f74279eac24a2b87b8
SHA2567457e9075b928fb204b20b7d14fe785d26f36006c3b00dc4063e4d72c17c8b72
SHA512925b92827b7d048d45c4c9f136522599b92350a862054c41a816df023b8e1035b332f794159dbda25321a68b7ee5669776eab7de0c00da0be977feaeefb87fe8
-
Filesize
1KB
MD550ab0dd716dd66ad0c3eb5fb63f2f118
SHA1bd9641078264b2135d3b3b0007c98f977d057960
SHA2561f9037b078250201c92f8e1ea1ad3023011039c76a5aa74d3710edc452fc6517
SHA51224c0b8ca8650fb50f81b9a89bbb7e8e5492b303b065fbf846c55aeb76c9fc41ebb5b9c6163d168a1362941720473486fdf2596dab4764176ebb348ad264b61d6