Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2024, 10:41
Behavioral task
behavioral1
Sample
1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
General
-
Target
1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe
-
Size
298KB
-
MD5
1301099e7f0f87fe1970a9bc05ca03bb
-
SHA1
6c2768abfce2b8fc6bdc6135608a78009873ddf5
-
SHA256
c330d565560f6d49c49cc432713a773fe1e11f8ec90002e3d807fc57281ee65f
-
SHA512
7b55ac027b6964a3669affd98ea5ff2ca9ba296ea534fbc9b1d4f18689616d3e29905749aea796006ab6e9e2a760aab180ee78ff48f3da2ee221e06b65027692
-
SSDEEP
6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYj:v6Wq4aaE6KwyF5L0Y2D1PqLs
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 3012 svhost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\z: svhost.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4092-761-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/3012-1122-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/3012-1123-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/3012-2247-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/3012-3390-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/3012-4530-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/3012-5661-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/3012-6799-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/3012-7939-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/3012-9063-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/3012-10197-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/3012-11340-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/3012-12469-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/3012-13490-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/3012-14630-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/3012-15769-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
resource yara_rule behavioral2/memory/4092-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/files/0x00090000000233ad-3.dat upx behavioral2/files/0x0007000000023413-122.dat upx behavioral2/memory/4092-761-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3012-1122-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3012-1123-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3012-2247-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3012-3390-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3012-4530-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3012-5661-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3012-6799-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3012-7939-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3012-9063-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3012-10197-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3012-11340-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3012-12469-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3012-13490-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3012-14630-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/3012-15769-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svhost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3012 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe 3012 svhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4092 wrote to memory of 3012 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 82 PID 4092 wrote to memory of 3012 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 82 PID 4092 wrote to memory of 3012 4092 1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1301099e7f0f87fe1970a9bc05ca03bb_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD5d981fc4e5209f398e99fec715392d82d
SHA1af21f42f66ce8a3d53ac746182ff0b8e4d8085d4
SHA256cf4a4f8950e71a236cceb4364d13085e4316fc5c0c97d75645aa9410d2320213
SHA51257079768425847661cef74580617593b516c9433ea6aa1bc949c58efcaf4b2c2373abcb08f362aa301b9e036bbad5463e3594320ef13a72c8b233f3ca483ac93
-
Filesize
82B
MD5c2d2dc50dca8a2bfdc8e2d59dfa5796d
SHA17a6150fc53244e28d1bcea437c0c9d276c41ccad
SHA256b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960
SHA5126cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4
-
Filesize
298KB
MD526efc2a84c1eb40d5f1719e353a66f2f
SHA127010f4b322862fa325b401df03e8a590fbfd017
SHA256938dd217b49b8b8be9626ef5e90a384a00353710ab70793b021777b513fe15b1
SHA51208d7ce0bae51183ce91c54786610c260ed2569351feea9e7c80ea16b0aaefe9bffb520e33b577b6d9f4d01012699952912e282c225c687a9cbf21f188f316d83