Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2024 17:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
General
-
Target
bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe
-
Size
65KB
-
MD5
bc95c9fc4557e6cf37622fb568ea422a
-
SHA1
0203751d5b540fd93a314d585d91d8101dd5acf3
-
SHA256
0e547d4270446c4e75f53519747b633db8036e69d90ca39c0902661d21d3d794
-
SHA512
a4e0c6c24758708703c30f7eb9462f2195ab813533d5d946a06d97709418e0b8451c2a08f532bfb7df5a394bd2d009d7f11ffcb9a9e49e8dfc85a4e3f0b269e8
-
SSDEEP
1536:RjMqxL2Q31HtfPM3XApqmxOEcxq/QhIw:RAatf04xOI
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\H: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\Y: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\Q: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\T: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\R: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\Z: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\U: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\J: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\I: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\G: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\P: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\K: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\V: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\S: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\O: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\N: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\M: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\E: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\X: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened (read-only) \??\W: bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\dotnet.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Windows Mail\wab.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5072 wrote to memory of 3192 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 83 PID 5072 wrote to memory of 3192 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 83 PID 5072 wrote to memory of 3192 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 83 PID 3192 wrote to memory of 4920 3192 net.exe 85 PID 3192 wrote to memory of 4920 3192 net.exe 85 PID 3192 wrote to memory of 4920 3192 net.exe 85 PID 5072 wrote to memory of 3380 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 55 PID 5072 wrote to memory of 3380 5072 bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe 55
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bc95c9fc4557e6cf37622fb568ea422a_JaffaCakes118.exe"2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:4920
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD50320217e7fa25e88cf4eb84573352738
SHA19e0305839845f2ee8e3fe458907353ff6287b44d
SHA256553585edccd4e4fa892ae42b4fdd2b747624694f61e97a409f9d2c8d975327ec
SHA512b1d448a502eacdc07a04ae28a45b86ce578405d1775085f458fe75a733a4cf6779e4d6cb8152d9099333d5bb4b986e0f4dc1c7a24f181872f4814ab457801537