Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30-08-2024 09:05
Static task
static1
Behavioral task
behavioral1
Sample
ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe
-
Size
648KB
-
MD5
ca8a20ea8d4c2138ceea59b48e0866b4
-
SHA1
873da3bd6e0864f7f4aef6bb9221cd6a7c6fe705
-
SHA256
6ff3d035b2e8e8e4e916d812d56fc80ef208a73df53f518a8e3897d36b98587b
-
SHA512
15f85396048d726f9be0f98aeb30bd20897c74c3963b63f6effc2d07e1f4d419f730b6affcceaf162aa9e856d2cbf51c0c66e36e2800c828509b09016e19c355
-
SSDEEP
6144:zXkq206D2dF/ciYI+4wvsMgeFwjdcIS77J1gMvDrcxlFRShozxSdRrZX+Uam:zXnz5iQYwjdcIsvdDLhwS5
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2820 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2224 ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\iscilog.exe" ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2596 PING.EXE 2820 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2596 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2224 ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2420 ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe Token: SeDebugPrivilege 2224 ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2224 ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2224 2420 ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2224 2420 ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2224 2420 ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe 30 PID 2420 wrote to memory of 2820 2420 ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe 31 PID 2420 wrote to memory of 2820 2420 ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe 31 PID 2420 wrote to memory of 2820 2420 ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe 31 PID 2820 wrote to memory of 2596 2820 cmd.exe 33 PID 2820 wrote to memory of 2596 2820 cmd.exe 33 PID 2820 wrote to memory of 2596 2820 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118\ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118.exe"C:\Users\Admin\AppData\Local\Temp\ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118\ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2224
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\ca8a20ea8d4c2138ceea59b48e0866b4_JaffaCakes118.exe"2⤵
- Deletes itself
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2596
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118\ca8a20ea8d4c2138ceea59b48e0866b4_jaffacakes118.exe
Filesize648KB
MD5ca8a20ea8d4c2138ceea59b48e0866b4
SHA1873da3bd6e0864f7f4aef6bb9221cd6a7c6fe705
SHA2566ff3d035b2e8e8e4e916d812d56fc80ef208a73df53f518a8e3897d36b98587b
SHA51215f85396048d726f9be0f98aeb30bd20897c74c3963b63f6effc2d07e1f4d419f730b6affcceaf162aa9e856d2cbf51c0c66e36e2800c828509b09016e19c355
-
Filesize
52B
MD516becb98e228a31d541de78dda5bfdfb
SHA16de9bfd466e958cfa482d1fc50ed4ba8f3897532
SHA25643997393dc669976a78d434605609061209cf5ecc4aad10a81de5d83d9309575
SHA5123bcaecef18fa815e94faed88c3f92915f2663228760aeb4db7f16805e4da35820959d9903c0fe36793d547386395e44397985f5b477c1bb42c5650c3846bf60e