Analysis
-
max time kernel
146s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 08:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe
-
Size
214KB
-
MD5
2e144013bd5138142e86353f8cf3c38c
-
SHA1
353b929bac62f9076b59b1305ed2dd992818cddf
-
SHA256
23942836bb780114244f1881a3018e090b5930748c702b870108ee6c5956a6f1
-
SHA512
fbf9697f90e5b297d5c2f06b1c21dadfcfb50666092ebbe550ea5e7e5bc67d05259a9209dfa6159a07863b284a576d61877f0638b43e68f7f624d407580b181e
-
SSDEEP
6144:+WAG99MeInpZdSdwE3VQuXS8k/PucdiZ9XP:PlMeIp6d93+2HoiDP
Score
8/10
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 1636 ksf.exe -
Executes dropped EXE 1 IoCs
pid Process 1636 ksf.exe -
Loads dropped DLL 2 IoCs
pid Process 1900 2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe 1900 2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 17 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\runas ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\Content Type = "application/x-msdownload" ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\DefaultIcon\ = "%1" ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\ = "Application" ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\runas\command ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\start ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\ksf.exe\" -a \"%1\" %*" ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\start\command ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\DefaultIcon ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\open ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\open\command ksf.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe" ksf.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ksf.exe -
Modifies registry class 41 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\shell ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\shell\runas\command ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\ = "exefile" ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\DefaultIcon\ = "%1" ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\open\command ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\start ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\shell\open ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\DefaultIcon\ = "%1" ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\shell\open\command ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\shell\runas ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" ksf.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\ksf.exe\" -a \"%1\" %*" ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\start\command ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\ = "Application" ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\DefaultIcon ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\Content Type = "application/x-msdownload" ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\open ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\shell\start\command ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\runas\command ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\Content Type = "application/x-msdownload" ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\ksf.exe\" -a \"%1\" %*" ksf.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\DefaultIcon ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.exe\shell\start ksf.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\exefile\shell\runas ksf.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1900 2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe 1900 2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe 1900 2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe 1900 2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe 1900 2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe 1900 2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe 1900 2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe 1900 2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe 1900 2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe 1636 ksf.exe 1636 ksf.exe 1636 ksf.exe 1636 ksf.exe 1636 ksf.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2764 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe Token: SeShutdownPrivilege 2764 explorer.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 1636 ksf.exe 2764 explorer.exe 2764 explorer.exe 1636 ksf.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe -
Suspicious use of SendNotifyMessage 21 IoCs
pid Process 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 1636 ksf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1900 wrote to memory of 1636 1900 2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe 31 PID 1900 wrote to memory of 1636 1900 2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe 31 PID 1900 wrote to memory of 1636 1900 2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe 31 PID 1900 wrote to memory of 1636 1900 2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\ksf.exe"C:\Users\Admin\AppData\Local\ksf.exe" -gav C:\Users\Admin\AppData\Local\Temp\2e144013bd5138142e86353f8cf3c38c_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1636
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2764
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD5ea8cdf0a7f745d13b601832f7daca9c1
SHA1e0b8fe53353bcd0f75338a197d47fa0999843134
SHA2567b8b3dbc8fdf0c9d4233b2462fe3890933e47ed8718110b4bd2e35b58b00a5e3
SHA51258aee449776d6bbecbe87ab6f3affd3f1367f26cd7165c0999d3c4ba310f3b2e91db987cbe57cfa65f10db1ce805616a07b8a3bc3229cd1d545b800766998d91