General
-
Target
496f1defa92daf684818e5d161c71e8b_JaffaCakes118
-
Size
658KB
-
Sample
241015-xfxzvs1aqb
-
MD5
496f1defa92daf684818e5d161c71e8b
-
SHA1
de21e1d8c5645f4550f09d11295b81293164a0f1
-
SHA256
745115e5515092ad108ad14211fc1f03e0dd4730bfeb79b5fadd753a4ba14f36
-
SHA512
805a88a93ddd3b4dc9bafaebf91723a7db70302007b8603a33c6cdea4f769ca15f62c84a689fef131be73fe15984491bc434e6a8a1d51839a441bf9a933a50fc
-
SSDEEP
12288:qa11Gr3+pfNixGTdIkIxJIEo3gMH70mVogKp4tQ3BfS6oN+qESVBx7neivjX/I:qWixGpuIEow7WG4tQxa6ojxvnei7
Static task
static1
Behavioral task
behavioral1
Sample
496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
496f1defa92daf684818e5d161c71e8b_JaffaCakes118
-
Size
658KB
-
MD5
496f1defa92daf684818e5d161c71e8b
-
SHA1
de21e1d8c5645f4550f09d11295b81293164a0f1
-
SHA256
745115e5515092ad108ad14211fc1f03e0dd4730bfeb79b5fadd753a4ba14f36
-
SHA512
805a88a93ddd3b4dc9bafaebf91723a7db70302007b8603a33c6cdea4f769ca15f62c84a689fef131be73fe15984491bc434e6a8a1d51839a441bf9a933a50fc
-
SSDEEP
12288:qa11Gr3+pfNixGTdIkIxJIEo3gMH70mVogKp4tQ3BfS6oN+qESVBx7neivjX/I:qWixGpuIEow7WG4tQxa6ojxvnei7
-
Modifies security service
-
Sets service image path in registry
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks registry for disk virtualization
Detecting virtualization disks is order done to detect sandboxing environments.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
5