Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 06:15
Static task
static1
Behavioral task
behavioral1
Sample
a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe
-
Size
163KB
-
MD5
a9e8d1a30c8e2fd5c48f17000aa814c6
-
SHA1
df407372fa427b3444bd52d47db4c2ce4f255c99
-
SHA256
bf81d34d57b3fd15de4f92dd416fca1d6700824c73370beb5eddc4c766ec0efe
-
SHA512
fe367a193b718dc51f23fd37af41a557f403b704d139a8ae84fdf4c3fa2c73edbf8fc0a16b8fb24fd3aacb670b38526b8d00edc60a811fe0adbc9980af7e6844
-
SSDEEP
3072:lb9HdEgnc29JuB/RVgU974KlGro2UWQRtgxC6c3ovNRdNUirqSmF7Nv5D:l5HXbmVJ974KlGM/g46cYVWimF7hV
Malware Config
Signatures
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe a5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "services.exe" a5.exe -
Executes dropped EXE 3 IoCs
pid Process 2680 QvodSetupPlus3.exe 2824 a5.exe 3060 ~25947822.exe -
Loads dropped DLL 8 IoCs
pid Process 2644 a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe 2644 a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe 2644 a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe 2680 QvodSetupPlus3.exe 2680 QvodSetupPlus3.exe 2680 QvodSetupPlus3.exe 2824 a5.exe 2824 a5.exe -
resource yara_rule behavioral1/files/0x0019000000005c50-3.dat upx behavioral1/files/0x0010000000015d8b-13.dat upx behavioral1/memory/2824-20-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2680-19-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2680-24-0x0000000000240000-0x0000000000297000-memory.dmp upx behavioral1/memory/2680-28-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2824-29-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2680-31-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2824-32-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2680-45-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2824-46-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2680-48-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2680-52-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2680-56-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2680-58-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2680-62-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2680-66-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral1/memory/2680-68-0x0000000000400000-0x0000000000457000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msconfigs = "C:\\Windows\\system32\\cwREB.exe" a5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\msconfigs = "C:\\Windows\\system32\\cwREB.exe" a5.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\cwREB.exe a5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~25947822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QvodSetupPlus3.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2824 a5.exe 2824 a5.exe 2824 a5.exe 2824 a5.exe 2824 a5.exe 2824 a5.exe 2824 a5.exe 2824 a5.exe 2824 a5.exe 2824 a5.exe 3060 ~25947822.exe 3060 ~25947822.exe 3060 ~25947822.exe 3060 ~25947822.exe 3060 ~25947822.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 476 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2824 a5.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2680 QvodSetupPlus3.exe 2680 QvodSetupPlus3.exe 2680 QvodSetupPlus3.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2680 QvodSetupPlus3.exe 2680 QvodSetupPlus3.exe 2680 QvodSetupPlus3.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2680 2644 a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2680 2644 a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2680 2644 a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2680 2644 a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2680 2644 a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2680 2644 a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2680 2644 a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2824 2644 a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe 31 PID 2644 wrote to memory of 2824 2644 a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe 31 PID 2644 wrote to memory of 2824 2644 a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe 31 PID 2644 wrote to memory of 2824 2644 a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe 31 PID 2824 wrote to memory of 3060 2824 a5.exe 32 PID 2824 wrote to memory of 3060 2824 a5.exe 32 PID 2824 wrote to memory of 3060 2824 a5.exe 32 PID 2824 wrote to memory of 3060 2824 a5.exe 32 PID 3060 wrote to memory of 1440 3060 ~25947822.exe 33 PID 3060 wrote to memory of 1440 3060 ~25947822.exe 33 PID 3060 wrote to memory of 1440 3060 ~25947822.exe 33 PID 3060 wrote to memory of 1440 3060 ~25947822.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a9e8d1a30c8e2fd5c48f17000aa814c6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe"C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680
-
-
C:\Users\Admin\AppData\Local\Temp\a5.exe"C:\Users\Admin\AppData\Local\Temp\a5.exe"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\~25947822.exeC:\Users\Admin\AppData\Local\Temp\~25947822.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\cmd.execmd4⤵
- System Location Discovery: System Language Discovery
PID:1440
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149KB
MD5a3de6c880f4fbe1c2fdae63bed2587c5
SHA1d24408ca4349f83b66409e773fab10863469a1f6
SHA256eae20a59c483e08d98b03e9367af8069ae78133240f0ad73077db1f5f63c1e39
SHA512218523a61e1cb2da1e2f92170965bcb51f3dc006365be606cd3d19fe8abe54c6c59674c161febdeacdc0fa8974a5ed1bfe00471c1762184026646cbc9881d12e
-
Filesize
27KB
MD50384f7bb7c11478a49daa7bf8835b350
SHA14e03775afcf603a7fa8826780b28ced3dc973114
SHA256ef08c323945e892f2effe7f798c37e097ce298b5d84d14fb91f0f7c59b4e6b3d
SHA5122559884a2e88ba7a9136554d151d364aede5b07da25b2a06996b528402edd37f37c8ba362484c35e5a693cd012dc23b0373cc178cbbd877fdc56832a837ee4b9
-
Filesize
8KB
MD5b982364e53855a6963f2753fc5fc084f
SHA1b66c7dda9ae97712b0640bfba61ca15e23bc82ec
SHA256c81d315f80e8b3207e9391298263fae8651046576fc2a652e26d744fe5227763
SHA512d06f3b6000a4e342773435e9b96818614af4da3a8c2b692e1d5cc994d18c68872858cb09fd36bca3158ab863efb31e89421866f4c99d6f863b8d593db0adfc7e