Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2024 18:56
Behavioral task
behavioral1
Sample
06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
General
-
Target
06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe
-
Size
298KB
-
MD5
06ff06ef59d2c35b349bece6e2aa264d
-
SHA1
d204a0f7e050d199044cc8a61dfdaefcc65ffef6
-
SHA256
dc8f18df7e52f6ad6d39974d18fc0ea6ac45b0956435c88cd7424724a7a96ca6
-
SHA512
97995434f87f7f8c16a124ca399e223053912f81d4f8986229c990432e25de4ab75657e7eec311d21374d0a919984dad636aa2a542b6fbd824371e453ffc9ab6
-
SSDEEP
6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYq:v6Wq4aaE6KwyF5L0Y2D1PqL/
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 4488 svhost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\h: svhost.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4308-739-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4488-1111-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4488-1112-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4488-2237-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4488-3373-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4488-4499-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4488-5631-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4488-6769-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4488-7900-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4488-9034-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4488-10159-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4488-11288-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4488-12299-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4488-13430-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4488-14560-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4488-15695-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
resource yara_rule behavioral2/memory/4308-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/files/0x000900000002369d-3.dat upx behavioral2/files/0x00070000000236a7-141.dat upx behavioral2/memory/4308-739-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4488-1111-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4488-1112-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4488-2237-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4488-3373-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4488-4499-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4488-5631-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4488-6769-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4488-7900-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4488-9034-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4488-10159-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4488-11288-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4488-12299-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4488-13430-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4488-14560-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4488-15695-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svhost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4488 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe 4488 svhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4308 wrote to memory of 4488 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 89 PID 4308 wrote to memory of 4488 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 89 PID 4308 wrote to memory of 4488 4308 06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06ff06ef59d2c35b349bece6e2aa264d_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:81⤵PID:4268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD54fe893ee5146b1c574dac0bf01fbc69e
SHA1b864e4f7af92c097c825ea2b2e7278b7ca7518ca
SHA256ace054797cdde7f4e232d9d4206b21ae3c5229def066b46f181d02582a19e011
SHA5124909fd711d218b63b19bf260b034704c199d5ad8bf42e7948e0d0a9efb27897276f2a54b57763036a84dd12877ae7b1ba33f6af80373181f786798713c20fd9d
-
Filesize
82B
MD5c2d2dc50dca8a2bfdc8e2d59dfa5796d
SHA17a6150fc53244e28d1bcea437c0c9d276c41ccad
SHA256b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960
SHA5126cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4
-
Filesize
298KB
MD5038dd298f5b83932a4daf4b9aa23d9d4
SHA1122cf2b4e3b9d34620dd92788085aa3e40842ff2
SHA25666312d67a1b3adafeb0f33f236f7b152b62cb195ca90373d5323144be14b379f
SHA51201bf7297269211350824937889fcec20ada38ef65ebf79ed5b54dd6aad898b00d221a9d574127042a406c7c67f2f5ba4633a3ca946998c6aa5f4c1aaf14242bd