General
-
Target
1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118
-
Size
4.0MB
-
Sample
241007-mpm6xa1arm
-
MD5
1cfa59cf9fe17fbacc47910d45236945
-
SHA1
fbb6312e00a341bf35f9f5e4c4ac6ba317532d91
-
SHA256
3412cec072f1a9b403fcc7d2e8de28d0bde2d3a5a2e39089c519c2d12646b644
-
SHA512
60dba5def860fd88f614a001f1e374b060671636eeba7ea24a482f288bf2648f62e0d8b1ff12081cd5bb81fa49852391296d71ee52c0f07231a0d343ee51d724
-
SSDEEP
98304:lwfMbhvRDp0/EbYb1Ts7AEA6Ri5np/FOCM3YhHT2JQ3gYUGXd:lwAhlu/EbylsMV6M/NPMIhz+BiXd
Static task
static1
Behavioral task
behavioral1
Sample
1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe
Resource
win7-20240729-en
Malware Config
Targets
-
-
Target
1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118
-
Size
4.0MB
-
MD5
1cfa59cf9fe17fbacc47910d45236945
-
SHA1
fbb6312e00a341bf35f9f5e4c4ac6ba317532d91
-
SHA256
3412cec072f1a9b403fcc7d2e8de28d0bde2d3a5a2e39089c519c2d12646b644
-
SHA512
60dba5def860fd88f614a001f1e374b060671636eeba7ea24a482f288bf2648f62e0d8b1ff12081cd5bb81fa49852391296d71ee52c0f07231a0d343ee51d724
-
SSDEEP
98304:lwfMbhvRDp0/EbYb1Ts7AEA6Ri5np/FOCM3YhHT2JQ3gYUGXd:lwAhlu/EbylsMV6M/NPMIhz+BiXd
-
Modifies security service
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Possible privilege escalation attempt
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Loads dropped DLL
-
Modifies file permissions
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1