Analysis
-
max time kernel
140s -
max time network
88s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 16:25
Static task
static1
Behavioral task
behavioral1
Sample
4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe
-
Size
287KB
-
MD5
4316cee298df3ba612576e2b3acc9509
-
SHA1
d8ac2b6986e3aa9c2cb1dcadfee5579b7596e63d
-
SHA256
63212deb9302b8727655c1378356473f6a2cc5d38b6aa3a581ea0825fabada7b
-
SHA512
6efcb86039989086c579af4a97f7da2bff387e6859ff9f1aafc1ee92c3947f856bb5346707f6fb92a7e3f9044ecbf96d4beee42141dc3f1e82680bfb93d58fe8
-
SSDEEP
6144:tppSggop+07WpVULMpaBD4o+9Dw2z+uuzKu4/eJlCHiddw0:17GVUtuo+9Dw2duz8wcHi
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2920 81FC.tmp -
Loads dropped DLL 2 IoCs
pid Process 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8DB.exe = "C:\\Program Files (x86)\\LP\\43ED\\8DB.exe" 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/2604-2-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2604-55-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2024-58-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2024-59-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2024-61-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2604-57-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2604-169-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/924-172-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/924-174-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2604-361-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2604-366-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\43ED\8DB.exe 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\43ED\8DB.exe 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\43ED\81FC.tmp 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81FC.tmp -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2352 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeRestorePrivilege 2788 msiexec.exe Token: SeTakeOwnershipPrivilege 2788 msiexec.exe Token: SeSecurityPrivilege 2788 msiexec.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe Token: 33 2984 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2984 AUDIODG.EXE Token: 33 2984 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2984 AUDIODG.EXE Token: SeShutdownPrivilege 2352 explorer.exe Token: SeShutdownPrivilege 2352 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe 2352 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2024 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 30 PID 2604 wrote to memory of 2024 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 30 PID 2604 wrote to memory of 2024 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 30 PID 2604 wrote to memory of 2024 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 30 PID 2604 wrote to memory of 924 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 32 PID 2604 wrote to memory of 924 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 32 PID 2604 wrote to memory of 924 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 32 PID 2604 wrote to memory of 924 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 32 PID 2604 wrote to memory of 2920 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 36 PID 2604 wrote to memory of 2920 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 36 PID 2604 wrote to memory of 2920 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 36 PID 2604 wrote to memory of 2920 2604 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\D7357\AE743.exe%C:\Users\Admin\AppData\Roaming\D73572⤵PID:2024
-
-
C:\Users\Admin\AppData\Local\Temp\4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\4316cee298df3ba612576e2b3acc9509_JaffaCakes118.exe startC:\Program Files (x86)\57C55\lvvm.exe%C:\Program Files (x86)\57C552⤵PID:924
-
-
C:\Program Files (x86)\LP\43ED\81FC.tmp"C:\Program Files (x86)\LP\43ED\81FC.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2352
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5841⤵
- Suspicious use of AdjustPrivilegeToken
PID:2984
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD59830a063d6a451099715cfd584204e5a
SHA1175d36b11f755dd1a10b317f473c4c0de261b9ca
SHA2562f55100d9b31d4e69495fad29d831e7f1310f53089081da251ff52bf8b83ab28
SHA512c4aadec9e09277a4819e70eedeb9fb80ef4e6e982c3abca0479ba96f54c5748970a7c431de21996cee66dda86835db998fe22c822b1e9ff81d3a9256cd1f4f17
-
Filesize
996B
MD566be571e4f55742cd1495bf98a838e80
SHA1b650a342508214b5603228f6e60fbefcd72da2e2
SHA2565cc909fd79589f9eb4d0e0b3445c8c4e16b1b2531990de312bde7724707c3398
SHA5121cc42c9b338fd8f54c3b95c2dbe29e25bf81f6eead74f3752d48996bfd76a626caef0fb2e2667d7766f9d45b6808df61016f83321641e2bdac9d64551d1c3d18
-
Filesize
1KB
MD5197c4f3df40d4223c3f40f65a925129f
SHA1e97fe816d5ebed5c8c9dc66b013b68f235927868
SHA256c377bd77182438a1b8324add20b46d2122490b2ab96232ce22e02051dd98168d
SHA5124dca3ed7bc3ed2b8472d332cb8125226c3633b3add0fc10eb7c9504b91b95bfc568b13b3ca07e68f1a94a93194f5b38eee467c72ff1cea754444eb8e892b4b85
-
Filesize
600B
MD5f88aad2d8e16ddc02a8eb385ca179f8b
SHA1c60bfb1e2eee67936dd34d78622702e24dd9f231
SHA2560b920e3819aca4f4a0d338280904d79896612b15fa421b3331224ff702dcbf79
SHA512ddfd23b4cf837be3b1e4ce1211543124b884785c544f79d1318ef5acfbb9760f4b025486bd2a0067d1c56cdb04980fa7aed9b4ce37c76bae3eff1451942d727b
-
Filesize
300B
MD539970e90fb5bfe49c5e9d0b3911455b3
SHA1bde1f75b5ff660b43b0123499f49a0a8bf95f037
SHA2564a98316e439b5e1ddde6e7e5936f08cbf55b28541b0d95570a61cd8d6b852545
SHA512164cae79671bd7f04ad5ce3cd195c17639629b9e184a9c3b02b0552c6e992d4cb6dd4640ea6b1a7a580a78b3ac32d0b95399ee581a8c5f93e412384995211f39