Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-10-2024 18:56
Behavioral task
behavioral1
Sample
06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
General
-
Target
06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe
-
Size
298KB
-
MD5
06ff06ef59d2c35b349bece6e2aa264d
-
SHA1
d204a0f7e050d199044cc8a61dfdaefcc65ffef6
-
SHA256
dc8f18df7e52f6ad6d39974d18fc0ea6ac45b0956435c88cd7424724a7a96ca6
-
SHA512
97995434f87f7f8c16a124ca399e223053912f81d4f8986229c990432e25de4ab75657e7eec311d21374d0a919984dad636aa2a542b6fbd824371e453ffc9ab6
-
SSDEEP
6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYq:v6Wq4aaE6KwyF5L0Y2D1PqL/
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 2388 svhost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\x: svhost.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2276-799-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2388-1044-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2388-1156-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2388-2299-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2388-3450-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2388-4595-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2388-5743-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2388-6891-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2388-7924-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2388-9065-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2388-10220-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2388-11362-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2388-12509-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2388-13657-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2388-14802-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2388-15831-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
resource yara_rule behavioral1/memory/2276-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x00090000000120d6-4.dat upx behavioral1/memory/2388-7-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x0008000000016689-67.dat upx behavioral1/memory/2276-799-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2388-1044-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2388-1156-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2388-2299-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2388-3450-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2388-4595-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2388-5743-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2388-6891-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2388-7924-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2388-9065-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2388-10220-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2388-11362-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2388-12509-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2388-13657-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2388-14802-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2388-15831-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Driver.db svhost.exe File created C:\Windows\svhost.exe 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svhost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2388 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe 2388 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2388 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 28 PID 2276 wrote to memory of 2388 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 28 PID 2276 wrote to memory of 2388 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 28 PID 2276 wrote to memory of 2388 2276 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD5202b3f34bc3d75724467e84a29b328dd
SHA10e034d55808f6cc2195e21178f1701f77fecec6b
SHA256fe2cda14d84b26eaf52ce1e12410b403702fd5cbc3182fc5d4a9e120b7298661
SHA51256a7584c3ec2f11a1e24d8bd361acef3bee25a1d8d1841035e55f392a661b8a223d99e1f363184e70f8b0a3f93ccf4f516af68886404df4d63f09f4b4297735e
-
Filesize
82B
MD5c2d2dc50dca8a2bfdc8e2d59dfa5796d
SHA17a6150fc53244e28d1bcea437c0c9d276c41ccad
SHA256b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960
SHA5126cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4
-
Filesize
298KB
MD5cc5f917f0d2a158c5bcd741f28d3567b
SHA137d05c82dd836a15b5dc26fc8a668ac59d4a8a13
SHA25680ee99cd2adcce756b6d7854cbbcfe481c8ba4a3e7855c046e5e2fe52b69a5c1
SHA512f3025ea512c5feec230d71b94b1cf7b26828bf4c9b772ac5a6aee643bb6daf2e448ccc7cfe4b9042deb2f7564c7bd3fd48f91d6387f222ce3a5770d11f4d7bd2