General
-
Target
8462d74fdbedcb32579b0e67dd1e07ef_JaffaCakes118
-
Size
773KB
-
Sample
241101-mx13qs1pdp
-
MD5
8462d74fdbedcb32579b0e67dd1e07ef
-
SHA1
c2ff063cfc81473b13852250012f5e1455df4e61
-
SHA256
01b908cb399e5088eb9d2d6aa8afdf49139370750a092c73185df7fb8aafc676
-
SHA512
779614400f0e3ef4b1883026542c0866d2f894e431b06b4671eb10498c5e27cb9980b0eb56aec5536004dddff97f3ad5a87b10d0e04f9c3c87bf004fa1d1ff4a
-
SSDEEP
12288:nKVor+xCwP+U4gcN2KA71uA46dNyKxElDrNk0mGDJPSyEy26g3oWGKegoBM/sPd2:mor+wwnZx71uxj8+NkG9PSywOKegx/V
Static task
static1
Behavioral task
behavioral1
Sample
8462d74fdbedcb32579b0e67dd1e07ef_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
8462d74fdbedcb32579b0e67dd1e07ef_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
8462d74fdbedcb32579b0e67dd1e07ef_JaffaCakes118
-
Size
773KB
-
MD5
8462d74fdbedcb32579b0e67dd1e07ef
-
SHA1
c2ff063cfc81473b13852250012f5e1455df4e61
-
SHA256
01b908cb399e5088eb9d2d6aa8afdf49139370750a092c73185df7fb8aafc676
-
SHA512
779614400f0e3ef4b1883026542c0866d2f894e431b06b4671eb10498c5e27cb9980b0eb56aec5536004dddff97f3ad5a87b10d0e04f9c3c87bf004fa1d1ff4a
-
SSDEEP
12288:nKVor+xCwP+U4gcN2KA71uA46dNyKxElDrNk0mGDJPSyEy26g3oWGKegoBM/sPd2:mor+wwnZx71uxj8+NkG9PSywOKegx/V
-
Modifies security service
-
Sets service image path in registry
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Deletes itself
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks registry for disk virtualization
Detecting virtualization disks is order done to detect sandboxing environments.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
5