Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29-07-2024 10:05
Behavioral task
behavioral1
Sample
3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe
-
Size
18KB
-
MD5
3fad2378feab32b6d3f8b955d98038b2
-
SHA1
626d2a65d0c22ad510445171234d314bf93d0a2e
-
SHA256
a62eac7125d6a8e953325e4408f6f6ab187c808f9bfc0334e4d8723fae97c021
-
SHA512
4436ac40b5042eb768285dfdb074453a5431a145d24ec3b7211f296a00d09ec60f4fcf5a9e71ea02769df5f6598069bb8bbc2f425ddd777a168e51adb68c6cbe
-
SSDEEP
192:cZh9iPRuyEmDYGpMtLYOzgfwN4rUMGA5+bc7+jR9nsVVI+1k1ygJtac:MhEMyRYGKtLUlxGC+bXsVK+1k1ygbac
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
vbc.exe3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\codec.exe vbc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\schost.js 3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\mscode = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe" 3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2220 3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exevbc.exedescription pid process target process PID 2220 wrote to memory of 2616 2220 3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe vbc.exe PID 2220 wrote to memory of 2616 2220 3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe vbc.exe PID 2220 wrote to memory of 2616 2220 3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe vbc.exe PID 2616 wrote to memory of 2716 2616 vbc.exe cvtres.exe PID 2616 wrote to memory of 2716 2616 vbc.exe cvtres.exe PID 2616 wrote to memory of 2716 2616 vbc.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\klmejjjw.cmdline"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB2E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB0E.tmp"3⤵PID:2716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f06540e09c627fb6248bc61aff1f4d8f
SHA1f1ce6b593b4b92d11503dd9adbed96c616debae0
SHA256ee024b390b4749d66b7e0bbb2af944364697143e1e7aa40fff986452c390c8a2
SHA51278b892aa615c5df21f73ef680a251473eafbae59040a919bf12894f174234ce0bd0df51c313025930555a6844de9a131528c5e81be514add848a52b073b26f80
-
Filesize
193B
MD5c9affc499509d8a9c1b93e9590e55d7f
SHA1832ddeefbe416bb4bb5349e3d44d660cf69614c6
SHA2564e4d855ef36455df9965a719b2ecaf3e5f1fc3fb614eba6c377e4b3696106249
SHA512fdb98921f4001e56d46dd17975fa41e76e6f2028d509cd38266e5889279690ab04d0548547ab26629bfba3855b0e6817650abac5e6f086a464ed56bfb3b4f16c
-
Filesize
193B
MD59a9839e2c3f7901e7e92fa624407876c
SHA1e1a472fc9cac1d53838a4ee3c10ae582ed2da7ad
SHA2569c9492bc2b381bc70d3d79a491f872e5bf14195104283bb888c15ec6f34decaa
SHA512f122b63959870d80bb0511f05ebc74e7d281699c0a629c149a29bf238bca75e1ab33b38c47d39cc83925be12115d9e836610b8d5f28a214cc9a6406c7abdf54d
-
Filesize
636B
MD54ae835497e2f7ceaf82995a952ab9488
SHA14800591a27a535f287c294cb30e79f951ffa6e93
SHA256f2811dc74cc9db37a8327e8cf3b9b87c86a1628446178c6fd53476c9293a8ca5
SHA512e292c23402150a0031fb01997ed8e7cf3871957906360fad7f6fbdc2f9695791020fab8ce066436aa96c17811a84174ce5b7206e16a98f8b3ddebe4ff217e19c