Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 08:09
Static task
static1
Behavioral task
behavioral1
Sample
eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe
-
Size
282KB
-
MD5
eaea25157814f7639054fd4ea04925fb
-
SHA1
4f37d87716fdc4bc92f9392dd65f4a00e2c4f1a9
-
SHA256
87cb3ff5904c8bf61a4fa4141b848e82ee2ae7d8eff79bd9ca881ff4eb0305fc
-
SHA512
e16dcb5b8d7294053132b74225c26fa82b1bb32254041b185872652fdb6dd61e101303f5e7ea22072ff6fef863f936e3ce13f225966d5c6ac92361af77a865e5
-
SSDEEP
6144:1YuUaHTcIuw4mPMZ50HFGgGfILJ/Zv/TGmUs+xkFrb+ANbsj:1JOB10w8L5F/TG/k59U
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2180 A61F.tmp -
Loads dropped DLL 2 IoCs
pid Process 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2412-2-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2412-11-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2212-15-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2212-17-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2412-14-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2412-81-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2016-83-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2412-193-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2412-196-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\575.exe = "C:\\Program Files (x86)\\LP\\4483\\575.exe" eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\4483\575.exe eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\4483\575.exe eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\4483\A61F.tmp eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A61F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 956 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2684 msiexec.exe Token: SeTakeOwnershipPrivilege 2684 msiexec.exe Token: SeSecurityPrivilege 2684 msiexec.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe Token: SeShutdownPrivilege 956 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe 956 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2212 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 31 PID 2412 wrote to memory of 2212 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 31 PID 2412 wrote to memory of 2212 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 31 PID 2412 wrote to memory of 2212 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 31 PID 2412 wrote to memory of 2016 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 33 PID 2412 wrote to memory of 2016 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 33 PID 2412 wrote to memory of 2016 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 33 PID 2412 wrote to memory of 2016 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 33 PID 2412 wrote to memory of 2180 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 36 PID 2412 wrote to memory of 2180 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 36 PID 2412 wrote to memory of 2180 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 36 PID 2412 wrote to memory of 2180 2412 eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\304F9\21C44.exe%C:\Users\Admin\AppData\Roaming\304F92⤵
- System Location Discovery: System Language Discovery
PID:2212
-
-
C:\Users\Admin\AppData\Local\Temp\eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\eaea25157814f7639054fd4ea04925fb_JaffaCakes118.exe startC:\Program Files (x86)\F9FA4\lvvm.exe%C:\Program Files (x86)\F9FA42⤵
- System Location Discovery: System Language Discovery
PID:2016
-
-
C:\Program Files (x86)\LP\4483\A61F.tmp"C:\Program Files (x86)\LP\4483\A61F.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2180
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:956
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5dcf766a8db3ee550b3a0a0081c0eddc7
SHA17c0ecc2e398abe3b015ba8c2e349004681c6bec5
SHA256d1a365813104035dd48bc665d8121f4ec7c1b0638c4f946150742cd7c1b54270
SHA5124416c12217388dfc088dc135a3b7485c28424a1b3aa208a5db0dc184eb9bef50494307922d176e19a07e4f10ca73d78a931a612950d0a995ce67aa9f653eef6c
-
Filesize
600B
MD591624f9fb3bc03ccd80bc959be87bdc0
SHA1ac838579ba6159a0fa456a45d79ecfd5a7ce2e69
SHA2568062b569538f4cc708d9afadcf602aa9386a4b3e84f6be513f7fdb6925540d78
SHA512fb9400da7a8f33763c5e11b79dcf23396f7b8783235d0ff0d8e1a7448f99c3869eceb6e49c4eac1ae5a7eadb00d220b3887ed1e35410ce200ec1028aac89bc97
-
Filesize
996B
MD57f758993960fdd64a39fd03cbbd6aa6c
SHA1beb801392e82950c8a39a95a3cca5aa8ad2144aa
SHA256a70ddf20d8d3980fef1464b4539e4f7f8d2523a8a4c8fbf9146e70f93ead629e
SHA512d53dcecb59d5cd41f7a9bc138e32d28d3720bb0435e0f87238be82ae2d59f891b98a3c3416a893664ca7d3b632debdd243b72f63c5a1afa991da4cbe3a0e3647
-
Filesize
99KB
MD582d50af33ff156670a076dc834a99b4d
SHA1d5e3662e28d51a8366fb214d77585b95984541d1
SHA2567f57b37aa39698068271e64bbb42ff74b1a2b6157d233d8bdef1f683a7230a7d
SHA512527986d4cca9998059e278de71989f3f46851eace0370cb2bfd69dc7292d5a1597a373ff2b350137eeea8dd7dd13a0e8de8b6306795e4b5a6428fab6c1b27563