Analysis
-
max time kernel
53s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 12:25
Static task
static1
Behavioral task
behavioral1
Sample
83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe
-
Size
2.8MB
-
MD5
83035d6f6c95bbee91cebfda3ce8e717
-
SHA1
c276fb8f9c498adcbfcae06e87cf1ec63f9795cc
-
SHA256
039f49f63a4173ed8451b471eef7fa40a3354fc6353213d59a51936dabfc6760
-
SHA512
45ed62ce82c24914441b1bd69bff75b5b627895abf3a9bd29edcaca68f3a45ca80e87d78db293d6b681c5e4e40dda2dd5c0ce4234f5b4872a3d7f0b34978dbaf
-
SSDEEP
49152:I7IU6ivGtlqaVwASOrfmrTEbTRjkek2FjufBaCOh5PaOcegDxpVodPgN2gh4E+gx:/+Y39mHqWN2K4E+gPdo
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\windows\system32\drivers\appld.sys 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Executes dropped EXE 2 IoCs
pid Process 2244 dg82fqkt63.exe 2436 l4fjq1orkk.exe -
Loads dropped DLL 4 IoCs
pid Process 2420 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 1520 Process not Found 2420 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 1404 Process not Found -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\System32\config\TxR\{01688~1.REG cmd.exe File opened for modification C:\Windows\System32\config\TxR\{01688~2.REG cmd.exe File opened for modification C:\Windows\System32\config\TxR\{01688~3.REG cmd.exe File opened for modification C:\Windows\System32\config\TxR\{01688~4.REG cmd.exe File opened for modification C:\Windows\System32\config\TxR\{0B82E~1.REG cmd.exe File opened for modification C:\Windows\System32\config\TxR\{01688~2.BLF cmd.exe File opened for modification C:\Windows\System32\config\TxR\{01688~1.BLF cmd.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1228 sc.exe 2044 sc.exe 1616 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1056 reg.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2244 dg82fqkt63.exe Token: SeShutdownPrivilege 844 shutdown.exe Token: SeRemoteShutdownPrivilege 844 shutdown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2244 2420 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 31 PID 2420 wrote to memory of 2244 2420 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 31 PID 2420 wrote to memory of 2244 2420 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 31 PID 2420 wrote to memory of 2844 2420 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 33 PID 2420 wrote to memory of 2844 2420 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 33 PID 2420 wrote to memory of 2844 2420 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 33 PID 2844 wrote to memory of 2764 2844 cmd.exe 35 PID 2844 wrote to memory of 2764 2844 cmd.exe 35 PID 2844 wrote to memory of 2764 2844 cmd.exe 35 PID 2844 wrote to memory of 3012 2844 cmd.exe 36 PID 2844 wrote to memory of 3012 2844 cmd.exe 36 PID 2844 wrote to memory of 3012 2844 cmd.exe 36 PID 2844 wrote to memory of 2888 2844 cmd.exe 37 PID 2844 wrote to memory of 2888 2844 cmd.exe 37 PID 2844 wrote to memory of 2888 2844 cmd.exe 37 PID 2844 wrote to memory of 2884 2844 cmd.exe 38 PID 2844 wrote to memory of 2884 2844 cmd.exe 38 PID 2844 wrote to memory of 2884 2844 cmd.exe 38 PID 2844 wrote to memory of 2824 2844 cmd.exe 39 PID 2844 wrote to memory of 2824 2844 cmd.exe 39 PID 2844 wrote to memory of 2824 2844 cmd.exe 39 PID 2844 wrote to memory of 1056 2844 cmd.exe 40 PID 2844 wrote to memory of 1056 2844 cmd.exe 40 PID 2844 wrote to memory of 1056 2844 cmd.exe 40 PID 2844 wrote to memory of 3008 2844 cmd.exe 41 PID 2844 wrote to memory of 3008 2844 cmd.exe 41 PID 2844 wrote to memory of 3008 2844 cmd.exe 41 PID 2844 wrote to memory of 2916 2844 cmd.exe 42 PID 2844 wrote to memory of 2916 2844 cmd.exe 42 PID 2844 wrote to memory of 2916 2844 cmd.exe 42 PID 2844 wrote to memory of 2772 2844 cmd.exe 43 PID 2844 wrote to memory of 2772 2844 cmd.exe 43 PID 2844 wrote to memory of 2772 2844 cmd.exe 43 PID 2844 wrote to memory of 2240 2844 cmd.exe 44 PID 2844 wrote to memory of 2240 2844 cmd.exe 44 PID 2844 wrote to memory of 2240 2844 cmd.exe 44 PID 2844 wrote to memory of 2640 2844 cmd.exe 45 PID 2844 wrote to memory of 2640 2844 cmd.exe 45 PID 2844 wrote to memory of 2640 2844 cmd.exe 45 PID 2844 wrote to memory of 2816 2844 cmd.exe 46 PID 2844 wrote to memory of 2816 2844 cmd.exe 46 PID 2844 wrote to memory of 2816 2844 cmd.exe 46 PID 2844 wrote to memory of 2652 2844 cmd.exe 47 PID 2844 wrote to memory of 2652 2844 cmd.exe 47 PID 2844 wrote to memory of 2652 2844 cmd.exe 47 PID 2844 wrote to memory of 2784 2844 cmd.exe 48 PID 2844 wrote to memory of 2784 2844 cmd.exe 48 PID 2844 wrote to memory of 2784 2844 cmd.exe 48 PID 2844 wrote to memory of 2780 2844 cmd.exe 49 PID 2844 wrote to memory of 2780 2844 cmd.exe 49 PID 2844 wrote to memory of 2780 2844 cmd.exe 49 PID 2844 wrote to memory of 2724 2844 cmd.exe 50 PID 2844 wrote to memory of 2724 2844 cmd.exe 50 PID 2844 wrote to memory of 2724 2844 cmd.exe 50 PID 2420 wrote to memory of 2436 2420 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 52 PID 2420 wrote to memory of 2436 2420 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 52 PID 2420 wrote to memory of 2436 2420 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 52 PID 2436 wrote to memory of 2856 2436 l4fjq1orkk.exe 54 PID 2436 wrote to memory of 2856 2436 l4fjq1orkk.exe 54 PID 2436 wrote to memory of 2856 2436 l4fjq1orkk.exe 54 PID 2844 wrote to memory of 2964 2844 cmd.exe 55 PID 2844 wrote to memory of 2964 2844 cmd.exe 55 PID 2844 wrote to memory of 2964 2844 cmd.exe 55 PID 2420 wrote to memory of 1228 2420 83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\83035d6f6c95bbee91cebfda3ce8e717_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\dg82fqkt63.exe"C:\Users\Admin\AppData\Local\Temp\dg82fqkt63.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\lc4tilfa51.bat" "2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgk\Security" /f3⤵PID:2764
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgk" /f3⤵PID:3012
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgc\Security" /f3⤵PID:2888
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vgc" /f3⤵PID:2884
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Riot Vangard" /f3⤵PID:2824
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\VALORANT-Win64-Shipping.exe" /f3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1056
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}\Count" /f3⤵PID:3008
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count" /f3⤵PID:2916
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442}\Count" /f3⤵PID:2772
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /f3⤵PID:2240
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CAA59E3C-4792-41A5-9909-6A6A8D32490E}\Count" /f3⤵PID:2640
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{BCB48336-4DDD-48FF-BB0B-D3190DACB3E2}\Count" /f3⤵PID:2816
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{B267E3AD-A825-4A09-82B9-EEC22AA3B847}\Count" /f3⤵PID:2652
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{A3D53349-6E61-4557-8FC7-0028EDCEEBF6}\Count" /f3⤵PID:2784
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}\Count" /f3⤵PID:2780
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CLASSES_ROOT\riotclient" /f3⤵PID:2724
-
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig" /f3⤵PID:2964
-
-
-
C:\Users\Admin\AppData\Local\Temp\l4fjq1orkk.exe"C:\Users\Admin\AppData\Local\Temp\l4fjq1orkk.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Color 973⤵PID:2856
-
-
-
C:\Windows\system32\sc.exesc stop appld2⤵
- Launches sc.exe
PID:1228
-
-
C:\Windows\system32\sc.exesc delete appld2⤵
- Launches sc.exe
PID:2044
-
-
C:\Windows\system32\sc.exesc create appld binpath= C:\windows\system32\drivers\appld.sys type= kernel start= boot2⤵
- Launches sc.exe
PID:1616
-
-
C:\Windows\System32\shutdown.exeC:\Windows\System32\shutdown /r /t 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2412
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:948
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5ff773fbe0ab771b04b82316c89f20654
SHA1d37bcca4ff0d80d5d02d4e5ab942a945edfb0fba
SHA256f4907982695edaf608648b6e1984a0aea68057d428cbc82ebceba3d3074cfb7b
SHA512528dc36c1e03650f57a8cf63e5d3c637290c5c450343065ab2cfc034d60114362953d144115e35956a8a34d2442ebfb4ca2c95943d8dd0f9f0eb58e563c7f313
-
Filesize
126KB
MD58eded2a6dd7097e60abfa7292d3b23c0
SHA1099688e74e257495636c96b34b2d59724c271a8c
SHA2561b48f91b77fc85eec79786f908e0eaeff050cdaee49471ee0c2be92e05c972bd
SHA5121733b6e583ad92a64ba2a561c7c5b333df2f59b1aec97d7627a9e257acdcb553e9907fe701a4bb094f4b4ec44b04f50f833ccfe11d5dbf171e9fd5fe1db7397d
-
Filesize
343KB
MD5060f3da224758a17ba766353dccd4d82
SHA1b58ba5133ecb4ed8968733b2207058505fbefdf3
SHA2569ef5644ff3befc763b4ab7b8bf0ba7e8ebda43d98e5e8d753f95fe9cdaec7645
SHA512af06364339814b4c9058f3acf2214842e381f988f87b4b694bcb06cb55cf749d76e117ef2fc4a0f80c530d0ef51e6ee3171045d37a260e6456c0f363b41baaa7