Analysis
-
max time kernel
149s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 19:14
Static task
static1
Behavioral task
behavioral1
Sample
755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe
-
Size
328KB
-
MD5
755b1f60241f1ae2376ffeac9972568d
-
SHA1
6819ea04b3106c1197be855300448a4a6d73e968
-
SHA256
7ed8ea6805c2c8be03e74a147343a60b93b5a094a7a463864191442cb87fdf00
-
SHA512
5f7f4f472262a41efa071108a76d191e9194bd3de305e92ea15a7e7964e65192d652b40d4692e1fe8013b3a8ee50bfd836a5362ec425b0bb0e6bb9ab8d6333f7
-
SSDEEP
6144:Y7Xop2DQGktWZaZzHwqdsD57mte6wxVMHZc8Uy/Ya774Tu+sQV1ph:cokD5kt4aZcT97mk5yHa8DHouTM
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
Processes:
tgc.exepid process 3016 tgc.exe -
Executes dropped EXE 1 IoCs
Processes:
tgc.exepid process 3016 tgc.exe -
Loads dropped DLL 2 IoCs
Processes:
755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exepid process 2924 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe 2924 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 17 IoCs
Processes:
tgc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\Content Type = "application/x-msdownload" tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\start\command tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\open tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\open\command tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\tgc.exe\" -a \"%1\" %*" tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\ = "Application" tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\DefaultIcon tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\DefaultIcon\ = "%1" tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\runas\command tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\runas tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\start tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" tgc.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2924-1756-0x00000000003E0000-0x00000000003F6000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe" 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\1963014324 = "C:\\Users\\Admin\\AppData\\Local\\tgc.exe" 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exetgc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tgc.exe -
Modifies registry class 41 IoCs
Processes:
tgc.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\open\command tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\Content Type = "application/x-msdownload" tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\DefaultIcon\ = "%1" tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\tgc.exe\" -a \"%1\" %*" tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\shell\runas\command tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\shell\start tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\shell\open tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\start tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\shell\open\command tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\tgc.exe\" -a \"%1\" %*" tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\shell tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\shell\runas tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\shell\start\command tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\ = "Application" tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" tgc.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\DefaultIcon tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\DefaultIcon\ = "%1" tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\runas tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\start\command tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\Content Type = "application/x-msdownload" tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\DefaultIcon tgc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\ = "exefile" tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\open tgc.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\exefile\shell\runas\command tgc.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exetgc.exepid process 2924 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe 2924 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe 2924 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe 2924 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe 2924 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe 2924 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe 2924 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe 2924 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe 3016 tgc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2068 explorer.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 2068 explorer.exe Token: SeShutdownPrivilege 2068 explorer.exe Token: SeShutdownPrivilege 2068 explorer.exe Token: SeShutdownPrivilege 2068 explorer.exe Token: SeShutdownPrivilege 2068 explorer.exe Token: SeShutdownPrivilege 2068 explorer.exe Token: SeShutdownPrivilege 2068 explorer.exe Token: SeShutdownPrivilege 2068 explorer.exe Token: SeShutdownPrivilege 2068 explorer.exe Token: SeShutdownPrivilege 2068 explorer.exe Token: 33 2432 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2432 AUDIODG.EXE Token: 33 2432 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2432 AUDIODG.EXE Token: SeShutdownPrivilege 2068 explorer.exe Token: SeShutdownPrivilege 2068 explorer.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
Processes:
explorer.exetgc.exepid process 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 3016 tgc.exe 3016 tgc.exe 3016 tgc.exe 2068 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
explorer.exepid process 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe 2068 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
tgc.exepid process 3016 tgc.exe 3016 tgc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exedescription pid process target process PID 2924 wrote to memory of 3016 2924 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe tgc.exe PID 2924 wrote to memory of 3016 2924 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe tgc.exe PID 2924 wrote to memory of 3016 2924 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe tgc.exe PID 2924 wrote to memory of 3016 2924 755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe tgc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\tgc.exe"C:\Users\Admin\AppData\Local\tgc.exe" -gav C:\Users\Admin\AppData\Local\Temp\755b1f60241f1ae2376ffeac9972568d_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x41c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aekF346.tmpFilesize
115B
MD56d35d1f5f160ea4f5e40791808dce34b
SHA1dce12c41af7c6fbd6b4b74a1d3a47b9d6f4df44a
SHA25658fc2ff2d93c758ad60ca9df1bc6a999e0d0e082e61e0e82e59826e870d593eb
SHA51293ec3adb7530e49a8ccfd70c8063b0065c663aba0e2b4a9a85e622e14617f73e4d6dc48c482bda5cf14fd3a77b009869491e81c2e2209478399f405ff7e086e1
-
\Users\Admin\AppData\Local\tgc.exeFilesize
328KB
MD5755b1f60241f1ae2376ffeac9972568d
SHA16819ea04b3106c1197be855300448a4a6d73e968
SHA2567ed8ea6805c2c8be03e74a147343a60b93b5a094a7a463864191442cb87fdf00
SHA5125f7f4f472262a41efa071108a76d191e9194bd3de305e92ea15a7e7964e65192d652b40d4692e1fe8013b3a8ee50bfd836a5362ec425b0bb0e6bb9ab8d6333f7
-
memory/2068-3489-0x0000000002610000-0x0000000002620000-memory.dmpFilesize
64KB
-
memory/2924-3473-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/2924-1715-0x0000000000400000-0x00000000004C3A00-memory.dmpFilesize
782KB
-
memory/2924-1756-0x00000000003E0000-0x00000000003F6000-memory.dmpFilesize
88KB
-
memory/2924-3471-0x0000000000400000-0x00000000004C3A00-memory.dmpFilesize
782KB
-
memory/2924-3472-0x0000000000400000-0x00000000004C3A00-memory.dmpFilesize
782KB
-
memory/2924-1713-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/2924-1714-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/3016-3470-0x0000000000400000-0x00000000004C3A00-memory.dmpFilesize
782KB
-
memory/3016-3474-0x0000000000400000-0x00000000004C3A00-memory.dmpFilesize
782KB
-
memory/3016-3477-0x0000000000400000-0x00000000004C3A00-memory.dmpFilesize
782KB
-
memory/3016-3478-0x0000000000400000-0x00000000004C3A00-memory.dmpFilesize
782KB