Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-09-2024 05:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe
-
Size
252KB
-
MD5
d3ae29e3719d5fd68d31bf3c4d9eac30
-
SHA1
8739e0f1800b0a89c48e400bd36a705c39bf1c4d
-
SHA256
bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2
-
SHA512
db2cb32a5dd1fbb061e1755a48b1b9b1c35ba01a2405e5f26f5afb4f0ead8ccee3f001e6d8178e134ac65eb7b5b2eed064c978ef0fd72188805eefa8245130bf
-
SSDEEP
6144:Qkp72oN2xBsSc6HHLHEKrNhKb1prrTYJR/zMCZf:QkX+sgHLEKphKb1pnYb
Score
10/10
Malware Config
Signatures
-
Detects PlugX payload 14 IoCs
resource yara_rule behavioral1/memory/2248-2-0x0000000002360000-0x000000000238E000-memory.dmp family_plugx behavioral1/memory/2208-9-0x0000000000170000-0x000000000019E000-memory.dmp family_plugx behavioral1/memory/2208-13-0x0000000000170000-0x000000000019E000-memory.dmp family_plugx behavioral1/memory/2248-25-0x0000000002360000-0x000000000238E000-memory.dmp family_plugx behavioral1/memory/2208-27-0x0000000000170000-0x000000000019E000-memory.dmp family_plugx behavioral1/memory/2208-26-0x0000000000170000-0x000000000019E000-memory.dmp family_plugx behavioral1/memory/2208-24-0x0000000000170000-0x000000000019E000-memory.dmp family_plugx behavioral1/memory/2208-29-0x0000000000170000-0x000000000019E000-memory.dmp family_plugx behavioral1/memory/2632-39-0x0000000000260000-0x000000000028E000-memory.dmp family_plugx behavioral1/memory/2632-43-0x0000000000260000-0x000000000028E000-memory.dmp family_plugx behavioral1/memory/2632-42-0x0000000000260000-0x000000000028E000-memory.dmp family_plugx behavioral1/memory/2208-44-0x0000000000170000-0x000000000019E000-memory.dmp family_plugx behavioral1/memory/2632-45-0x0000000000260000-0x000000000028E000-memory.dmp family_plugx behavioral1/memory/2208-52-0x0000000000170000-0x000000000019E000-memory.dmp family_plugx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdoberDis = "C:\\Windows\\AdobeDis.exe" d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Modifies registry class 2 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 33003700310042003600410038004600300034003400320036004400440043000000 svchost.exe Key created \REGISTRY\MACHINE\Software\CLASSES\MJ svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2208 svchost.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2208 svchost.exe 2208 svchost.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2208 svchost.exe 2208 svchost.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2208 svchost.exe 2208 svchost.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2208 svchost.exe 2208 svchost.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2208 svchost.exe 2208 svchost.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe 2632 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2208 svchost.exe 2632 msiexec.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2248 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2248 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe Token: SeTcbPrivilege 2248 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe Token: SeDebugPrivilege 2208 svchost.exe Token: SeTcbPrivilege 2208 svchost.exe Token: SeDebugPrivilege 2632 msiexec.exe Token: SeTcbPrivilege 2632 msiexec.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2208 2248 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 29 PID 2248 wrote to memory of 2208 2248 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 29 PID 2248 wrote to memory of 2208 2248 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 29 PID 2248 wrote to memory of 2208 2248 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 29 PID 2248 wrote to memory of 2208 2248 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 29 PID 2248 wrote to memory of 2208 2248 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 29 PID 2248 wrote to memory of 2208 2248 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 29 PID 2248 wrote to memory of 2208 2248 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 29 PID 2248 wrote to memory of 2208 2248 d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe 29 PID 2208 wrote to memory of 2632 2208 svchost.exe 30 PID 2208 wrote to memory of 2632 2208 svchost.exe 30 PID 2208 wrote to memory of 2632 2208 svchost.exe 30 PID 2208 wrote to memory of 2632 2208 svchost.exe 30 PID 2208 wrote to memory of 2632 2208 svchost.exe 30 PID 2208 wrote to memory of 2632 2208 svchost.exe 30 PID 2208 wrote to memory of 2632 2208 svchost.exe 30 PID 2208 wrote to memory of 2632 2208 svchost.exe 30 PID 2208 wrote to memory of 2632 2208 svchost.exe 30 PID 2208 wrote to memory of 2632 2208 svchost.exe 30 PID 2208 wrote to memory of 2632 2208 svchost.exe 30 PID 2208 wrote to memory of 2632 2208 svchost.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d3ae29e3719d5fd68d31bf3c4d9eac30_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-