Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-10-2024 09:38
Static task
static1
Behavioral task
behavioral1
Sample
73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe
-
Size
691KB
-
MD5
73267c2a412170b3f3df33616b1e1e8e
-
SHA1
bcc8e0537ea776cf75ea83aec75130fc5ba36b43
-
SHA256
4756e7ee03184fc1b29807d6e77c4bb85d0eaaadd064c67b0b4b3a90175229a3
-
SHA512
3354d9f68f4e4ba5a1d88d9d1c9e8cb8f2067f7a03bf1b60d7658b9a036d642f64d35a98ae13115795e2078dff1fbf94dfed4e71c5134b6f24600366d7d6e13e
-
SSDEEP
12288:4KmX4064w0jAQrjnY8/V1Ng6U+VAqEr4viIrvLZo4P84ldlBGPMmLbAEWBvB7:4KCR3Pzg6U+Qk97G4P84dX0Mmv5WVB
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 748 netsh.exe -
Deletes itself 1 IoCs
pid Process 1268 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fcd9e400682bb0f4003b0aee2047a5cb.exe RuntimeBroker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fcd9e400682bb0f4003b0aee2047a5cb.exe RuntimeBroker.exe -
Executes dropped EXE 3 IoCs
pid Process 2840 Insidious.exe 2944 RuntimeBroker.exe 2288 RuntimeBroker.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\fcd9e400682bb0f4003b0aee2047a5cb = "\"C:\\Windows\\RuntimeBroker.exe\" .." RuntimeBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fcd9e400682bb0f4003b0aee2047a5cb = "\"C:\\Windows\\RuntimeBroker.exe\" .." RuntimeBroker.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 freegeoip.app 5 freegeoip.app -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\RuntimeBroker.exe RuntimeBroker.exe File opened for modification C:\Windows\RuntimeBroker.exe RuntimeBroker.exe File opened for modification C:\Windows\RuntimeBroker.exe RuntimeBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RuntimeBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RuntimeBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2692 PING.EXE 1268 cmd.exe 2784 PING.EXE -
System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 748 netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Insidious.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Insidious.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2692 PING.EXE 2784 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2840 Insidious.exe 2840 Insidious.exe 2840 Insidious.exe 2840 Insidious.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe 2288 RuntimeBroker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2288 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 2840 Insidious.exe Token: SeDebugPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe Token: 33 2288 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2288 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2840 2868 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 28 PID 2868 wrote to memory of 2840 2868 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 28 PID 2868 wrote to memory of 2840 2868 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 28 PID 2868 wrote to memory of 2944 2868 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 29 PID 2868 wrote to memory of 2944 2868 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 29 PID 2868 wrote to memory of 2944 2868 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 29 PID 2868 wrote to memory of 2944 2868 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 29 PID 2868 wrote to memory of 1268 2868 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 30 PID 2868 wrote to memory of 1268 2868 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 30 PID 2868 wrote to memory of 1268 2868 73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe 30 PID 1268 wrote to memory of 2784 1268 cmd.exe 32 PID 1268 wrote to memory of 2784 1268 cmd.exe 32 PID 1268 wrote to memory of 2784 1268 cmd.exe 32 PID 1268 wrote to memory of 2692 1268 cmd.exe 33 PID 1268 wrote to memory of 2692 1268 cmd.exe 33 PID 1268 wrote to memory of 2692 1268 cmd.exe 33 PID 2944 wrote to memory of 2288 2944 RuntimeBroker.exe 35 PID 2944 wrote to memory of 2288 2944 RuntimeBroker.exe 35 PID 2944 wrote to memory of 2288 2944 RuntimeBroker.exe 35 PID 2944 wrote to memory of 2288 2944 RuntimeBroker.exe 35 PID 2288 wrote to memory of 748 2288 RuntimeBroker.exe 36 PID 2288 wrote to memory of 748 2288 RuntimeBroker.exe 36 PID 2288 wrote to memory of 748 2288 RuntimeBroker.exe 36 PID 2288 wrote to memory of 748 2288 RuntimeBroker.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\RuntimeBroker.exe"C:\Windows\RuntimeBroker.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\RuntimeBroker.exe" "RuntimeBroker.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Time Discovery
PID:748
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"2⤵
- Deletes itself
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 1003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2784
-
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 9003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2692
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328KB
MD5f6639aa0f7e43cf09431850b3f473238
SHA13c7740ceacf062f8d71095bb440e280fdd3372ec
SHA256870859b15395ba5c50bffd2e90b230d4ebc890c9ba8f674f87862b22254ec25e
SHA5121e3fb39565e8d8f7c20e750735d79b06a97d49dbdae541f0e8e4fc97cff190d12e6bca77cef7d0018fe23f8c656d024766a05655ad6d18cdadaee2ded2b75d94
-
Filesize
260KB
MD51acabd72a026449937fc1cd16d0b5423
SHA1809ea7e21d0e3d80a6445c245daa2e018a417126
SHA25681634c88831adcb3e44d92ecd2e2a4534b50cf2d7bf001a02d68faa5d9a92bc2
SHA51240fcccd3b7aac5c5ff1bbfb2e491c4f8106e44f6e5c373b590ef2474469c8c25f44725c7d6310a242be7bec9aede4e02fa5196358d45ee620e4228866cbebb1d