Analysis
-
max time kernel
150s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30/09/2024, 18:05
Behavioral task
behavioral1
Sample
02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
13 signatures
150 seconds
General
-
Target
02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe
-
Size
298KB
-
MD5
02a08893c0229306b3bed80c0be7506d
-
SHA1
f7b32331e6e25af8f3c2b6a7194818d870d43ab5
-
SHA256
def605e306e0bf9575e080f55f6a57d321f165689f62fd305ad96272d1d2ace7
-
SHA512
5aeea8b7a8a490db301069a1ca4010b0e79ba98f39c21eb9e82f1c48c48bb9bf1eaa2e4572d36c4edd59ad1b13aef52c2e6bed123cefe998e41664c9a91f83a6
-
SSDEEP
6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYd:v6Wq4aaE6KwyF5L0Y2D1PqLU
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 2340 svhost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\m: svhost.exe -
AutoIT Executable 17 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2340-7-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2320-807-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2340-1042-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2340-1155-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2340-2300-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2340-3450-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2340-4595-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2340-5743-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2340-6892-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2340-7924-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2340-9067-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2340-10219-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2340-11361-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2340-12508-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2340-13658-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2340-14802-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2340-15951-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
resource yara_rule behavioral1/memory/2320-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x00080000000120fe-4.dat upx behavioral1/memory/2340-7-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x00060000000195d6-67.dat upx behavioral1/memory/2320-807-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2340-1042-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2340-1155-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2340-2300-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2340-3450-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2340-4595-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2340-5743-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2340-6892-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2340-7924-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2340-9067-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2340-10219-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2340-11361-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2340-12508-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2340-13658-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2340-14802-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2340-15951-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svhost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2340 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe 2340 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2340 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 29 PID 2320 wrote to memory of 2340 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 29 PID 2320 wrote to memory of 2340 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 29 PID 2320 wrote to memory of 2340 2320 02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\02a08893c0229306b3bed80c0be7506d_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD5b5451adae9ec6b6bd0acdff991254227
SHA114d14bcb9d0384ab8275164e2a446d0520186d0a
SHA256efa8834d2017be6933ca3a437419e3a019279f0d5df39e665b2b819897ce8c25
SHA512a1bf4210fce9ad6d85190626597c4f33f5f0b53ba9d0a716a8d98a24a7941f0381a684261fc0fe83bc54a0fd6e1aed5abeb6af748367a70af86c331a2de54a95
-
Filesize
82B
MD5c2d2dc50dca8a2bfdc8e2d59dfa5796d
SHA17a6150fc53244e28d1bcea437c0c9d276c41ccad
SHA256b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960
SHA5126cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4
-
Filesize
298KB
MD5af50f17a7100d8dc4449a577bf1a414e
SHA15bb1271e4953d52e46c7221ecf6e2037ca8e8c1f
SHA256579da665b4a3b34f8843c52bc8a0af5cb19e7d4b1a02c56119df29e580311ff9
SHA512263034c8f79c4e251047cc91db7c0af6ff977eea4dd2d0469e0f2927503bdc104c2c4418c4a1261aa1dbfdf8d6371e48d6828dbdb5efdb6e3139bd67f4e9619e