Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-11-2024 21:09
Static task
static1
Behavioral task
behavioral1
Sample
9de9363c50721f3c8eae5a2725f51690_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
9de9363c50721f3c8eae5a2725f51690_JaffaCakes118.exe
-
Size
808KB
-
MD5
9de9363c50721f3c8eae5a2725f51690
-
SHA1
f1eb284765f36d9d7c498e43d2403c3af2b2ab6f
-
SHA256
332773c3fd474628c8712985b6dcdf8e7e38f478570ac87665410023e60863a4
-
SHA512
a36962d9e16873d108a79eaee1e1bfd5dceb2fab54f61a1dae5d859625d0b3bb5a80041c7cbebb90ad1c61f6d7efe90c7d698ab4d17353d68637b54090e85d4a
-
SSDEEP
12288:cXJYagld8WUxFkyekJfC+R3D5g4OYo4VsJdq3vbFPXswlXV/4JUu8KbEYUDDKvm8:2YFkJqOG4xBxVS
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 69.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\system32\\Svchost.exe" 69.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 69.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\system32\\Svchost.exe" 69.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6WXVCM1E-AV5K-V4MX-7547-SIU6F38IB028}\StubPath = "C:\\Windows\\system32\\system32\\Svchost.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6WXVCM1E-AV5K-V4MX-7547-SIU6F38IB028} 69.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6WXVCM1E-AV5K-V4MX-7547-SIU6F38IB028}\StubPath = "C:\\Windows\\system32\\system32\\Svchost.exe Restart" 69.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6WXVCM1E-AV5K-V4MX-7547-SIU6F38IB028} explorer.exe -
Executes dropped EXE 3 IoCs
pid Process 2780 69.exe 1236 69.exe 1792 Svchost.exe -
Loads dropped DLL 3 IoCs
pid Process 2780 69.exe 1236 69.exe 1236 69.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\system32\\Svchost.exe" 69.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\system32\\Svchost.exe" 69.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\system32\Svchost.exe 69.exe File opened for modification C:\Windows\SysWOW64\system32\Svchost.exe 69.exe File opened for modification C:\Windows\SysWOW64\system32\Svchost.exe 69.exe File opened for modification C:\Windows\SysWOW64\system32\ 69.exe -
resource yara_rule behavioral1/memory/2780-12-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral1/memory/2056-551-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/2056-907-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2780 69.exe 2780 69.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1236 69.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeBackupPrivilege 2056 explorer.exe Token: SeRestorePrivilege 2056 explorer.exe Token: SeBackupPrivilege 1236 69.exe Token: SeRestorePrivilege 1236 69.exe Token: SeDebugPrivilege 1236 69.exe Token: SeDebugPrivilege 1236 69.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2780 69.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2780 3032 9de9363c50721f3c8eae5a2725f51690_JaffaCakes118.exe 31 PID 3032 wrote to memory of 2780 3032 9de9363c50721f3c8eae5a2725f51690_JaffaCakes118.exe 31 PID 3032 wrote to memory of 2780 3032 9de9363c50721f3c8eae5a2725f51690_JaffaCakes118.exe 31 PID 3032 wrote to memory of 2780 3032 9de9363c50721f3c8eae5a2725f51690_JaffaCakes118.exe 31 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21 PID 2780 wrote to memory of 1180 2780 69.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\9de9363c50721f3c8eae5a2725f51690_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9de9363c50721f3c8eae5a2725f51690_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\69.exeC:\Users\Admin\AppData\Local\Temp\69.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Users\Admin\AppData\Local\Temp\69.exe"C:\Users\Admin\AppData\Local\Temp\69.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1236 -
C:\Windows\SysWOW64\system32\Svchost.exe"C:\Windows\system32\system32\Svchost.exe"5⤵
- Executes dropped EXE
PID:1792
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
MD56afb13c14bf63d663dbe88d7f1fe0130
SHA15e707443dc8dfc126f443fa405af457913dec921
SHA256cd5d45fba6c736217301dae95df68b0842223b2781dc4b8aa2c8135903e538c2
SHA512e8d4adb40dcc6291c5eec5af649ac1f3b1c38faa398d8e76617c5bcc29cb2f449554ade6c6daf1f35505ada83c86d9fb473e5899d8bccb814aaa1e931fed2bf3
-
Filesize
224KB
MD586189767ef0bf87128b19869a9197060
SHA1b8c6dcfad0f5234547d83a698dc7ffecc7abb817
SHA2561af86964f23c531bcd6f9c08e1317f5376c303fb6ca792e5fb0d5e9990a1ab88
SHA51205ca6ddf3db0f8f08c6bc40240baff09f015327bb6c377b0de0f29968927825b7cef4061d83c8a4ab88a12773a6d9345a7c407d809e0ee1b6f3fc0d692fb7e27
-
Filesize
8B
MD5fcdb6b5fbbea1644891afa1b7edd248d
SHA1d068146aa72fdcf9b1fa3b374625719c8c2e67ce
SHA2564cf92f1a54974b341520f0fc7c1f81e5dec43e4330fcea3cc5759e7238a73f87
SHA512e282ece3a0333d084c096eae61aa81f1fd771a35bd12910480ccd93cb9799764c84c54924c34f54c213f362568fd95396a2279418d0d9824ab29b320ecd99f90
-
Filesize
8B
MD55615143300b1189c3ee413900d5bb24d
SHA171b162367172b7da1244f0991900a08c80f7b50e
SHA2562e117ff3a82ad5c82412eb01efd0dc3182ddfacfea1a12b0a32dd38981946d3f
SHA512d2fce2a2834f23c854af7dbfc7b22861cc7f90397ef9378d8c86e05260fe39ac9503cddaa5a2d54557591e0d9281de11dad38df0044b5437c612080b7965001d
-
Filesize
8B
MD53b0f17ab4fdc4611cfb4defd78ca6ad2
SHA18d223493fc8abf48eb954b2f1234d5afd5b1df03
SHA25665950d44f291328bc85bad08be9e0d637a4970a6a7db22966d37007701f8628a
SHA5125f0ff45d2821674a5028295d7013a96f892eb22b012defc3f1d1105f73421a307fa5c55ecda3febfc2e7d21870d237c2e5d50e8c6b182c17959a15ebaad11c25
-
Filesize
8B
MD512557128031a99221bcb44247e447035
SHA16a11161a7504ec1baeab212be34617e45ad4d793
SHA256bb8c37d4676f848a38ccec79d216bdbd142282f8d9d7b432882b731ee09ce7bc
SHA5123e5985a4a5389d00c0f6486c2bb6540381ab10620e0ab0ec101b51f4ae7ceb1bb0bc69ed5f3bf1212a52cb52d8465870fb7876e8c1d029a93d5ab8db32d0aac9
-
Filesize
8B
MD5218489f938082050e13e53024f6dc93c
SHA1624b122c248758fe4b884caa0b825e41cbc216c5
SHA25696e6d7eb6add65ac3e3d4c004068f3f3ed46e90f66402dae2d62d8cb6d3dda0a
SHA5123aa11ef1a5c09ef1310b23eef1c51c829909412914a175c3bab28fe3983e7f9f2024c614759c3cf486a52a3b9104c978e54702693123e08f2d27163938553fa5
-
Filesize
8B
MD59e1b4e2d27d7b3e188a8e7edb79d889a
SHA1aefd3014c91b19bde8b0d6b6e62abe14526e0839
SHA256b4e0c61d9b1e321344c7c1b0d148d4a0000d4410d41a1723fcae515c6a4f1859
SHA51269fbdfbdfdfe0ce2224b18935c4c9ffa3cd90bc5da1aeccdc53d33bca0f681f2384a887b0b9a53e4ea62f21414031fda1576b6e2aa5cc494c180faf402204493
-
Filesize
8B
MD504b05bc52b2ca0313bab88fb61da6fde
SHA1faa32f8c3690fd59e7334b4b7b694d1d870acfdc
SHA256f06da408e59bf8658ab2b128dc86e218bb6aa19ea78051eab5da052480cd2159
SHA512fc70a9832a36808d49b09ca53332722af34f96d0bc41659eff70d5156d404001af43566f44ea9c33cf40d93be333273eaf873914d3e1536bc7732383d4edb8a3
-
Filesize
8B
MD550de4cab1083d5cf8cd706e5f1b0ff4c
SHA1895795066c2205e315a3b1712c4c4c69915a9111
SHA256a8951e7d9c9b7cd79cfe71106349355cae7ef582945d8e93c1cb91c8e2d55ea2
SHA51271a1d9c6d36ed7c464744133455c41067dd99da185586ea8cd9ef0ec32a624f7c33d7faeccbfedea2f7d365b5d117d8e42200f81220d601715f12e5f1dcc4500
-
Filesize
8B
MD5a4cbe8d803912c6762a498462121087a
SHA12ad075983a0aeb004e4724b88771e2a06edf2bbb
SHA256a2ed7be0bb68eb79ee24fd90fd4ba16390fd3c36a05b71523dc766f6f4abe623
SHA5120205cc559d2a8c24d83fca158a70c51efd79f89e74f11e5bdffb4fb8f2ead40cef1fe4e0294ee6723c55c43ddf836f40130898ea3609c2d25d8d93173f82677a
-
Filesize
8B
MD55887ed0851fe17fc9139b899b2f525fc
SHA1dc8c8a1eb720ecb6f65a6915777aaab9604c33e4
SHA256431860144cbce2327b5f3da9b06e4892324d4d45b01c2a1df2b03388995a639d
SHA5124141a984600526f13995157341983c6cd3c183ea73c24453d8b7d312ff8da3822fa69ad828ae61c597c3654fe3774cc5a2ae5fe7a30e9e7f4b51ad6803294163
-
Filesize
8B
MD5c275d2f4e6fd7d1e3efae7d177beabdb
SHA1f7841e53e6c56b557b5a4008f95fde51a3bb89b6
SHA2566cd17a5c6d8d136400334f387220cd49ced0ff8ceeda230f960267c6402cdec2
SHA5124dc6fc52edc3b26432b63c167d894bd1a4d8d6595198788a157b9d4a7333787c39ef1d4ecc30cf9cb979b157815eb4f508076e3b67a66d6a00a938e89339eb3d
-
Filesize
8B
MD53ca22cd52370e3c8d15eab0793d79b05
SHA10fa1f05f7b45c61a83f0ac8d2e46a812bb7e3318
SHA256d9bfbcfe6258c66fa14921e1aee86c5b4bb09a09e712ac7fac2694dd617caedb
SHA512750aa2abf02293ede06b830c4c99b7968331759b77c086187067f9135a92d53e5fc033b85b7a3d4ad8463e15eb0cddae9a10ed67969e81f8a6fabe60c4f76473
-
Filesize
8B
MD559fcb7745281efd707a2da6d4db3009c
SHA11befb081b3853fbab5861b1ff9621d45cdfa078a
SHA256e93fc480581d3c85543f0739668a048efa23ef7ddcaabdfab7575817f87614ba
SHA51275f6e7403300021e89acf9188b04d97fb93fa203b20bfdc020d6ed60b86955ab95beec74147e3538df79afd2caeb04fc9bdcdff7fc5c66b7cceba6567f624c25
-
Filesize
8B
MD506edfd6334852a215841c6668fd91bf2
SHA12e5a73933c739ae25d5440d76ad77f3d44501f91
SHA2565a90b6298ce6e90e3cdecaa5ad465708331d6003dda8185dddb59b889d064d4d
SHA512eeeda7510fef3b8149aaf10a2c06520b0f239866ec05abe67c64c5d66657ffa7a073773daa3da1fcc7d4bae33927093561b07337243b03b6fc0f15cce3efc037
-
Filesize
8B
MD5902b94f5f7676805dcb199589b29341c
SHA1e14a83a57693bbfe63afa4a39e9c6e52977a1cca
SHA25662677c8444dec39e1135524abcd91af2da51ec77cfee70b034f1991a629768ee
SHA512088a7d5edc27e7802b0f86a7c7e95bb21fd9059f81f08fd7c2d7ea8e48b6a64f945fe8cb685163c247329563a3b3c8829277e8b2d6d71eb6bb6395f20b886e8e
-
Filesize
8B
MD5a90434f255658ce7ba5861cb0bbd5e26
SHA12fdf14bcd0865da2125aa1b60b66c49aeb76134c
SHA2561c9dfc7b7688732388451c0d1b7a398cc419204c342250ba43062505b6329abb
SHA512f417853759c3601ecbea1008b830c764d22ff5281afb56b8dbdd026654c31ea803f6f41c7eaca03f73e7e3232e572f198539661a92d9f151f509626b29612f54
-
Filesize
8B
MD539e2717ae6fb9660285c36dd9a68ccdb
SHA1d4eb45717312ef1e293274d49526ec0f5828d58f
SHA256c7e592c00194cccc736846b229e2ca6b8a2f2d4b0c3fb840604fac5a412054d7
SHA512f7c485202d67e8a65fb1c29a97771d2e90fcb206df6e209ed3cfc64b9d89dc001a619785d90707354ada201fa0dc8c95aa8e8a0be03aaeb530f95f507540ac4c
-
Filesize
8B
MD51ea2fbe0117312df1d586b25f2dc7ff9
SHA10aca36f3429d68f9327dfe7f4f1bcf8aa1793b27
SHA2569d46b6260aece8793afc43054ea3ea0cc619a6d3c907e41d9ac7220fed7c5e41
SHA512f30c2dbce045db34dc1106dc387076c9a7b7ec89b802729331e1798c72b692d8980c142ae5af66cd4cd14bbac5a0ecd82b02ebb701735d767b580374e99deedf
-
Filesize
8B
MD5f8598fbd4976bbe1caaefcfca2856b0f
SHA1efadd7305c0f1c17fefec106e8b93070069b50cd
SHA256a5217e68176da9fe56de584837401856c092769c59891ae41deb522e04ddd727
SHA512f63e0ec21fe2398df4ae205de2acbab376a76870a10ad7c75d0e5fb514f0ac9bf4ba4147336ec4a961d82c3b87459df82815ea05bd833b90bac91809a1a101ea
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314