Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 10:11
Static task
static1
Behavioral task
behavioral1
Sample
e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe
-
Size
675KB
-
MD5
e696b38ac71b23f50ee68da06a004af3
-
SHA1
480e3fe49e3acb71e1a466e8ba2d02997eaf278e
-
SHA256
da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e
-
SHA512
7373f4ae19a732058e923172482d2b15fb8bed784431b734bfd3822c29b4369bc67a94804d00d0004f9ff7781f0db5eab4c4bf0f7cdf6f97d38f44a238bd709f
-
SSDEEP
12288:jat0EAH49n8Bm1zXC9YWP1W/zkObvcparNFzgnfFuQvJWzcI7On1hIRlhnXqyZx:2t24V1zgYbL1fFzgfF7Wr7O1e5Tx
Malware Config
Signatures
-
Detects PlugX payload 15 IoCs
resource yara_rule behavioral1/memory/2392-25-0x0000000000210000-0x000000000023E000-memory.dmp family_plugx behavioral1/memory/2588-33-0x0000000000280000-0x00000000002AE000-memory.dmp family_plugx behavioral1/memory/2588-50-0x0000000000280000-0x00000000002AE000-memory.dmp family_plugx behavioral1/memory/2588-49-0x0000000000280000-0x00000000002AE000-memory.dmp family_plugx behavioral1/memory/2588-48-0x0000000000280000-0x00000000002AE000-memory.dmp family_plugx behavioral1/memory/2392-47-0x0000000000210000-0x000000000023E000-memory.dmp family_plugx behavioral1/memory/2588-46-0x0000000000280000-0x00000000002AE000-memory.dmp family_plugx behavioral1/memory/2588-35-0x0000000000280000-0x00000000002AE000-memory.dmp family_plugx behavioral1/memory/2588-51-0x0000000000280000-0x00000000002AE000-memory.dmp family_plugx behavioral1/memory/1488-57-0x0000000000890000-0x00000000008BE000-memory.dmp family_plugx behavioral1/memory/1488-60-0x0000000000890000-0x00000000008BE000-memory.dmp family_plugx behavioral1/memory/1488-59-0x0000000000890000-0x00000000008BE000-memory.dmp family_plugx behavioral1/memory/2588-61-0x0000000000280000-0x00000000002AE000-memory.dmp family_plugx behavioral1/memory/2588-62-0x0000000000280000-0x00000000002AE000-memory.dmp family_plugx behavioral1/memory/2588-66-0x0000000000280000-0x00000000002AE000-memory.dmp family_plugx -
Executes dropped EXE 1 IoCs
pid Process 2392 msseces.exe -
Loads dropped DLL 5 IoCs
pid Process 2972 e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe 2972 e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe 2972 e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe 2972 e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe 2392 msseces.exe -
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 153.248.10.165 Destination IP 153.248.10.165 Destination IP 153.248.10.165 Destination IP 153.248.10.165 Destination IP 153.248.10.165 Destination IP 153.248.10.165 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msseces.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\MJ svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 43003500420044004200350033003000420036003400420033003900320041000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2588 svchost.exe 2588 svchost.exe 2588 svchost.exe 2588 svchost.exe 2588 svchost.exe 2588 svchost.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 2588 svchost.exe 2588 svchost.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 2588 svchost.exe 2588 svchost.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 2588 svchost.exe 2588 svchost.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 2588 svchost.exe 2588 svchost.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe 1488 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2588 svchost.exe 1488 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2392 msseces.exe Token: SeTcbPrivilege 2392 msseces.exe Token: SeDebugPrivilege 2588 svchost.exe Token: SeTcbPrivilege 2588 svchost.exe Token: SeDebugPrivilege 1488 msiexec.exe Token: SeTcbPrivilege 1488 msiexec.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2392 2972 e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe 30 PID 2972 wrote to memory of 2392 2972 e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe 30 PID 2972 wrote to memory of 2392 2972 e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe 30 PID 2972 wrote to memory of 2392 2972 e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe 30 PID 2972 wrote to memory of 2392 2972 e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe 30 PID 2972 wrote to memory of 2392 2972 e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe 30 PID 2972 wrote to memory of 2392 2972 e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe 30 PID 2392 wrote to memory of 2588 2392 msseces.exe 31 PID 2392 wrote to memory of 2588 2392 msseces.exe 31 PID 2392 wrote to memory of 2588 2392 msseces.exe 31 PID 2392 wrote to memory of 2588 2392 msseces.exe 31 PID 2392 wrote to memory of 2588 2392 msseces.exe 31 PID 2392 wrote to memory of 2588 2392 msseces.exe 31 PID 2392 wrote to memory of 2588 2392 msseces.exe 31 PID 2392 wrote to memory of 2588 2392 msseces.exe 31 PID 2392 wrote to memory of 2588 2392 msseces.exe 31 PID 2392 wrote to memory of 2588 2392 msseces.exe 31 PID 2392 wrote to memory of 2588 2392 msseces.exe 31 PID 2392 wrote to memory of 2588 2392 msseces.exe 31 PID 2588 wrote to memory of 1488 2588 svchost.exe 33 PID 2588 wrote to memory of 1488 2588 svchost.exe 33 PID 2588 wrote to memory of 1488 2588 svchost.exe 33 PID 2588 wrote to memory of 1488 2588 svchost.exe 33 PID 2588 wrote to memory of 1488 2588 svchost.exe 33 PID 2588 wrote to memory of 1488 2588 svchost.exe 33 PID 2588 wrote to memory of 1488 2588 svchost.exe 33 PID 2588 wrote to memory of 1488 2588 svchost.exe 33 PID 2588 wrote to memory of 1488 2588 svchost.exe 33 PID 2588 wrote to memory of 1488 2588 svchost.exe 33 PID 2588 wrote to memory of 1488 2588 svchost.exe 33 PID 2588 wrote to memory of 1488 2588 svchost.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e696b38ac71b23f50ee68da06a004af3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\winsyslog\msseces.exe"C:\Users\Admin\AppData\Local\Temp\winsyslog\msseces.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5184dd07bc91cc915aebf157a8b28066d
SHA1fe906d8fa97b41df64344b688471f8489fff5ac0
SHA2567cf636ef15ffdfec2f4d5209880183d0c44103d6557eced172124fd993a6d967
SHA512c35adc26ac6a8189dc641324f5a301c641c8bed42e420f1b344d4bd96142324cf2203c77f24cb16ba5ed534049cab956880d1c6f9f8e77920109b4a7950cb831
-
Filesize
116KB
MD5200c06f1be562a09cafab07d22838767
SHA1f724d592c8300ce88bf77ca13a55f74d175286ff
SHA256bf145d057e0b3cfd96da733c66344a0a07c86440d11bfc907b6bc740bb04dda7
SHA5124002e986d43e0e6956b6c184bba3a59c8d50c320a2ac928d3cade920f64c8deed1ef530ab7fdbed040c2af928a2596903ac20965f065f64a68266f54d10cc152
-
Filesize
951KB
MD5e279e55c0d5f5da2e1fd268ebd12f268
SHA1f98338fde49327cf1e357c6eb704ef55eaf48f8f
SHA25606c40af999881699dd9b73440d2ed48f404864c3fb8ff7b36560759892caaa12
SHA512701b6e637b70182caaf44f628cbfd116778ba70cf2668df210faae2f29cce85062127bc83e769fe7cf8050f180357b9405a62cf1cdab6f2094cfb493daae82da