Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-10-2024 13:51
Behavioral task
behavioral1
Sample
185981cb7b7d432501b93925db68173d_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
General
-
Target
185981cb7b7d432501b93925db68173d_JaffaCakes118.exe
-
Size
298KB
-
MD5
185981cb7b7d432501b93925db68173d
-
SHA1
accc39f1d6ff37dabe4c0524e954e11f50696497
-
SHA256
cca3361f63bd6043b1172b395301b6bb77423548c1f1c6c92020405273920abd
-
SHA512
9ed4f07970478cf58cd0fa3d222a394119a8316eccc5003ab85bbb2de6178689c836fd4ddae128aa52e79ad3c71e17f1205ba1ef3fc4bf86f0beb0b841a686a0
-
SSDEEP
6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYE:v6Wq4aaE6KwyF5L0Y2D1PqLn
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 4824 svhost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\x: svhost.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1020-757-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4824-1117-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4824-1121-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4824-2247-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4824-3385-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4824-4525-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4824-5649-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4824-6784-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4824-7912-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4824-9036-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4824-10166-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4824-11309-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4824-12435-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4824-13457-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4824-14591-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral2/memory/4824-15729-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
resource yara_rule behavioral2/memory/1020-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/files/0x000900000002342d-3.dat upx behavioral2/files/0x0007000000023497-122.dat upx behavioral2/memory/1020-757-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4824-1117-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4824-1121-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4824-2247-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4824-3385-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4824-4525-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4824-5649-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4824-6784-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4824-7912-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4824-9036-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4824-10166-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4824-11309-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4824-12435-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4824-13457-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4824-14591-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/4824-15729-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svhost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4824 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe 4824 svhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1020 wrote to memory of 4824 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 82 PID 1020 wrote to memory of 4824 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 82 PID 1020 wrote to memory of 4824 1020 185981cb7b7d432501b93925db68173d_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\185981cb7b7d432501b93925db68173d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\185981cb7b7d432501b93925db68173d_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD5bb0ed2e0884ecf87924c0efe921432e6
SHA10a9c201d0ecb064800c5408932c3498682d5d16f
SHA256a24d34f72a40ad19ee0750aa4e17f498374e3b3e408273a4aa6865a4820a649c
SHA512e77623c46ddb233b9bc217ca443151782d25b70b458fdae5437febbcc6901870007ef3d354f812ad8b9adc3672f1b98e416f408dc83a8aa142532491bf4785d2
-
Filesize
82B
MD5c2d2dc50dca8a2bfdc8e2d59dfa5796d
SHA17a6150fc53244e28d1bcea437c0c9d276c41ccad
SHA256b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960
SHA5126cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4
-
Filesize
298KB
MD5acd857643dff3da0d338fe45663e56ae
SHA15b9376144a69dabbb95548d12608a0e864d24daf
SHA2563ee7438fc794810408e67d8f63f7d850b9d71564eef3f68817cf4189ca764069
SHA5123a95c3acb752f5f55beb0e458b2c66afed6ea744e5b57c4972ce4816543b57bd10433353e11aecf769fbc14e45bec9ea1cdf6511eb068f37daa26146e6540b38