Analysis
-
max time kernel
122s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 01:32
Static task
static1
Behavioral task
behavioral1
Sample
0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe
-
Size
631KB
-
MD5
0843c2b2637d5c7f6a9e4867ef2a9ff4
-
SHA1
8d16bb23e21ca07a3ac2069bc3458847d0758f90
-
SHA256
bbe0f74fca386e4bd78dd21c03f4b9f6086691318d684caca0fecb2122d28961
-
SHA512
8571bcdc26eacf62c463038e7258bde1053db90ac2aea2d5e053c74b6201d370df8bcf0aa82bedf4be77d04bf53ec5c7992c2f32ab2d2c985df5ef74d17f2348
-
SSDEEP
12288:dZbp5e49S8/KtMJqmweBqRYmrCnBYOcOd3tmBvBO/IT3Y4rTM0Hlg:dZbnhE6KtMJqHeBqaWMuOcOptmm1eg0
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SteamUpdates = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\SteamUpdates\\SteamUpdates.exe\"" 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 316 set thread context of 11132 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2356 powershell.exe 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 1160 powershell.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2356 powershell.exe Token: SeIncreaseQuotaPrivilege 2356 powershell.exe Token: SeSecurityPrivilege 2356 powershell.exe Token: SeTakeOwnershipPrivilege 2356 powershell.exe Token: SeLoadDriverPrivilege 2356 powershell.exe Token: SeSystemProfilePrivilege 2356 powershell.exe Token: SeSystemtimePrivilege 2356 powershell.exe Token: SeProfSingleProcessPrivilege 2356 powershell.exe Token: SeIncBasePriorityPrivilege 2356 powershell.exe Token: SeCreatePagefilePrivilege 2356 powershell.exe Token: SeBackupPrivilege 2356 powershell.exe Token: SeRestorePrivilege 2356 powershell.exe Token: SeShutdownPrivilege 2356 powershell.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeSystemEnvironmentPrivilege 2356 powershell.exe Token: SeRemoteShutdownPrivilege 2356 powershell.exe Token: SeUndockPrivilege 2356 powershell.exe Token: SeManageVolumePrivilege 2356 powershell.exe Token: 33 2356 powershell.exe Token: 34 2356 powershell.exe Token: 35 2356 powershell.exe Token: SeDebugPrivilege 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe Token: SeDebugPrivilege 11132 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe Token: SeDebugPrivilege 1160 powershell.exe Token: SeIncreaseQuotaPrivilege 1160 powershell.exe Token: SeSecurityPrivilege 1160 powershell.exe Token: SeTakeOwnershipPrivilege 1160 powershell.exe Token: SeLoadDriverPrivilege 1160 powershell.exe Token: SeSystemProfilePrivilege 1160 powershell.exe Token: SeSystemtimePrivilege 1160 powershell.exe Token: SeProfSingleProcessPrivilege 1160 powershell.exe Token: SeIncBasePriorityPrivilege 1160 powershell.exe Token: SeCreatePagefilePrivilege 1160 powershell.exe Token: SeBackupPrivilege 1160 powershell.exe Token: SeRestorePrivilege 1160 powershell.exe Token: SeShutdownPrivilege 1160 powershell.exe Token: SeDebugPrivilege 1160 powershell.exe Token: SeSystemEnvironmentPrivilege 1160 powershell.exe Token: SeRemoteShutdownPrivilege 1160 powershell.exe Token: SeUndockPrivilege 1160 powershell.exe Token: SeManageVolumePrivilege 1160 powershell.exe Token: 33 1160 powershell.exe Token: 34 1160 powershell.exe Token: 35 1160 powershell.exe Token: SeDebugPrivilege 7072 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 316 wrote to memory of 2356 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 30 PID 316 wrote to memory of 2356 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 30 PID 316 wrote to memory of 2356 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 30 PID 316 wrote to memory of 2356 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 30 PID 316 wrote to memory of 11132 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 34 PID 316 wrote to memory of 11132 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 34 PID 316 wrote to memory of 11132 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 34 PID 316 wrote to memory of 11132 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 34 PID 316 wrote to memory of 11132 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 34 PID 316 wrote to memory of 11132 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 34 PID 316 wrote to memory of 11132 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 34 PID 316 wrote to memory of 11132 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 34 PID 316 wrote to memory of 11132 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 34 PID 316 wrote to memory of 11132 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 34 PID 316 wrote to memory of 11132 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 34 PID 316 wrote to memory of 11132 316 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 34 PID 11132 wrote to memory of 7072 11132 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 36 PID 11132 wrote to memory of 7072 11132 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 36 PID 11132 wrote to memory of 7072 11132 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 36 PID 11132 wrote to memory of 7072 11132 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 36 PID 11132 wrote to memory of 7072 11132 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 36 PID 11132 wrote to memory of 7072 11132 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 36 PID 11132 wrote to memory of 7072 11132 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 36 PID 7072 wrote to memory of 1160 7072 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 37 PID 7072 wrote to memory of 1160 7072 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 37 PID 7072 wrote to memory of 1160 7072 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 37 PID 7072 wrote to memory of 1160 7072 0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Bing.com2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Users\Admin\AppData\Local\Temp\0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:11132 -
C:\Users\Admin\AppData\Local\Temp\0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0843c2b2637d5c7f6a9e4867ef2a9ff4_JaffaCakes118.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:7072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Bing.com4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M1QJL5AJG1Y5AK2C60NQ.temp
Filesize7KB
MD52226b0f94fe085a507121c26641b6a7c
SHA18f237a8dd013f63caf4133237384207308e640be
SHA256f8d950dc7728fe0d80ed7eb00423c777bbfed247de0b1a9c32021fd805d93e3a
SHA512f6d0adc6fc12168fb1eedd94fb5b876f9b12c94cf8298ea1acafee8347b164ec13fadba8a2143541d3e963c0160969b59c1e55dfe40a79e2d166c28f85d6243f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD587ddb1d6aa1d73f8052d2ab8c85836f8
SHA12c1eb7bef3eab937717a2143307e3bc3214eb07b
SHA2564582de4b305c32012762a4c7bdc20be4cf522ed151829f97253e8a81d79568b2
SHA512378cbfbbe2bffff1c83c5bf7a4e9a431b8cfa935687993c6b31ef48f50a66a251033c1c9a82e7b27dd40bea0248620f7e53c2557f3fa31ff2077303807494bee