Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 11:15
Static task
static1
Behavioral task
behavioral1
Sample
d958277b511acf4f8dae3d75c594db6c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d958277b511acf4f8dae3d75c594db6c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d958277b511acf4f8dae3d75c594db6c_JaffaCakes118.exe
-
Size
356KB
-
MD5
d958277b511acf4f8dae3d75c594db6c
-
SHA1
b9a2113f62e2f559d51d70a35c77dff7e39294ed
-
SHA256
065d9b1dd188b626515ce09b19cd24d7e16a160ac5319136e65aa3c561657426
-
SHA512
21f5bfd2e04283a8d32f79cb10c823a66ebebc9d7ca9fc9a14d8fc3e4b31de1d0232141336c5816b098598f0ec2f4f2db5cbe44e4ebfffc792f01f55c96c4441
-
SSDEEP
6144:0tkXQh+fOZTb4rVfYn33rVRRF5GPXpkHg0Sme9k4GgzsdHXTvLRUQSOObAIAWgcu:8VxQap5KDox3lWnk
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
rudas199300
Signatures
-
Hawkeye family
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe" audiodgi.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run audiodgi.exe -
Deletes itself 1 IoCs
pid Process 2104 svchost.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe wmpmetwk.exe File opened for modification C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe wmpmetwk.exe -
Executes dropped EXE 7 IoCs
pid Process 2104 svchost.exe 2736 svchost.exe 3024 audiodgi.exe 2808 Windows Update.exe 2624 Windows Update.exe 2164 wmpmetwk.exe 2112 wmpmetwk.exe -
Loads dropped DLL 12 IoCs
pid Process 2520 d958277b511acf4f8dae3d75c594db6c_JaffaCakes118.exe 2520 d958277b511acf4f8dae3d75c594db6c_JaffaCakes118.exe 2104 svchost.exe 2104 svchost.exe 2736 svchost.exe 2808 Windows Update.exe 2808 Windows Update.exe 2808 Windows Update.exe 2808 Windows Update.exe 3024 audiodgi.exe 3024 audiodgi.exe 2164 wmpmetwk.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe" audiodgi.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2104 set thread context of 2736 2104 svchost.exe 31 PID 2808 set thread context of 2624 2808 Windows Update.exe 34 PID 2164 set thread context of 2112 2164 wmpmetwk.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiodgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpmetwk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpmetwk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d958277b511acf4f8dae3d75c594db6c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2104 svchost.exe 3024 audiodgi.exe 2808 Windows Update.exe 2104 svchost.exe 3024 audiodgi.exe 2164 wmpmetwk.exe 2808 Windows Update.exe 3024 audiodgi.exe 3024 audiodgi.exe 3024 audiodgi.exe 3024 audiodgi.exe 2104 svchost.exe 2164 wmpmetwk.exe 3024 audiodgi.exe 3024 audiodgi.exe 2808 Windows Update.exe 3024 audiodgi.exe 3024 audiodgi.exe 3024 audiodgi.exe 3024 audiodgi.exe 2104 svchost.exe 3024 audiodgi.exe 2164 wmpmetwk.exe 3024 audiodgi.exe 3024 audiodgi.exe 2808 Windows Update.exe 3024 audiodgi.exe 3024 audiodgi.exe 3024 audiodgi.exe 2104 svchost.exe 3024 audiodgi.exe 2164 wmpmetwk.exe 3024 audiodgi.exe 3024 audiodgi.exe 2112 wmpmetwk.exe 2808 Windows Update.exe 3024 audiodgi.exe 3024 audiodgi.exe 3024 audiodgi.exe 3024 audiodgi.exe 2104 svchost.exe 3024 audiodgi.exe 2164 wmpmetwk.exe 3024 audiodgi.exe 3024 audiodgi.exe 2808 Windows Update.exe 3024 audiodgi.exe 3024 audiodgi.exe 3024 audiodgi.exe 3024 audiodgi.exe 2104 svchost.exe 2164 wmpmetwk.exe 3024 audiodgi.exe 3024 audiodgi.exe 2808 Windows Update.exe 3024 audiodgi.exe 3024 audiodgi.exe 3024 audiodgi.exe 3024 audiodgi.exe 2104 svchost.exe 3024 audiodgi.exe 2164 wmpmetwk.exe 3024 audiodgi.exe 3024 audiodgi.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2520 d958277b511acf4f8dae3d75c594db6c_JaffaCakes118.exe Token: SeDebugPrivilege 2104 svchost.exe Token: SeDebugPrivilege 3024 audiodgi.exe Token: SeDebugPrivilege 2808 Windows Update.exe Token: SeDebugPrivilege 2164 wmpmetwk.exe Token: SeDebugPrivilege 2112 wmpmetwk.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2112 wmpmetwk.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2104 2520 d958277b511acf4f8dae3d75c594db6c_JaffaCakes118.exe 30 PID 2520 wrote to memory of 2104 2520 d958277b511acf4f8dae3d75c594db6c_JaffaCakes118.exe 30 PID 2520 wrote to memory of 2104 2520 d958277b511acf4f8dae3d75c594db6c_JaffaCakes118.exe 30 PID 2520 wrote to memory of 2104 2520 d958277b511acf4f8dae3d75c594db6c_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2736 2104 svchost.exe 31 PID 2104 wrote to memory of 2736 2104 svchost.exe 31 PID 2104 wrote to memory of 2736 2104 svchost.exe 31 PID 2104 wrote to memory of 2736 2104 svchost.exe 31 PID 2104 wrote to memory of 2736 2104 svchost.exe 31 PID 2104 wrote to memory of 2736 2104 svchost.exe 31 PID 2104 wrote to memory of 2736 2104 svchost.exe 31 PID 2104 wrote to memory of 2736 2104 svchost.exe 31 PID 2104 wrote to memory of 2736 2104 svchost.exe 31 PID 2104 wrote to memory of 3024 2104 svchost.exe 32 PID 2104 wrote to memory of 3024 2104 svchost.exe 32 PID 2104 wrote to memory of 3024 2104 svchost.exe 32 PID 2104 wrote to memory of 3024 2104 svchost.exe 32 PID 2736 wrote to memory of 2808 2736 svchost.exe 33 PID 2736 wrote to memory of 2808 2736 svchost.exe 33 PID 2736 wrote to memory of 2808 2736 svchost.exe 33 PID 2736 wrote to memory of 2808 2736 svchost.exe 33 PID 2736 wrote to memory of 2808 2736 svchost.exe 33 PID 2736 wrote to memory of 2808 2736 svchost.exe 33 PID 2736 wrote to memory of 2808 2736 svchost.exe 33 PID 2808 wrote to memory of 2624 2808 Windows Update.exe 34 PID 2808 wrote to memory of 2624 2808 Windows Update.exe 34 PID 2808 wrote to memory of 2624 2808 Windows Update.exe 34 PID 2808 wrote to memory of 2624 2808 Windows Update.exe 34 PID 2808 wrote to memory of 2624 2808 Windows Update.exe 34 PID 2808 wrote to memory of 2624 2808 Windows Update.exe 34 PID 2808 wrote to memory of 2624 2808 Windows Update.exe 34 PID 2808 wrote to memory of 2624 2808 Windows Update.exe 34 PID 2808 wrote to memory of 2624 2808 Windows Update.exe 34 PID 3024 wrote to memory of 2164 3024 audiodgi.exe 35 PID 3024 wrote to memory of 2164 3024 audiodgi.exe 35 PID 3024 wrote to memory of 2164 3024 audiodgi.exe 35 PID 3024 wrote to memory of 2164 3024 audiodgi.exe 35 PID 2164 wrote to memory of 2112 2164 wmpmetwk.exe 36 PID 2164 wrote to memory of 2112 2164 wmpmetwk.exe 36 PID 2164 wrote to memory of 2112 2164 wmpmetwk.exe 36 PID 2164 wrote to memory of 2112 2164 wmpmetwk.exe 36 PID 2164 wrote to memory of 2112 2164 wmpmetwk.exe 36 PID 2164 wrote to memory of 2112 2164 wmpmetwk.exe 36 PID 2164 wrote to memory of 2112 2164 wmpmetwk.exe 36 PID 2164 wrote to memory of 2112 2164 wmpmetwk.exe 36 PID 2164 wrote to memory of 2112 2164 wmpmetwk.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\d958277b511acf4f8dae3d75c594db6c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d958277b511acf4f8dae3d75c594db6c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"5⤵
- Executes dropped EXE
PID:2624
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exeC:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe5⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2112
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87B
MD5909440ee37365c16bce21f93c287657c
SHA1ec9f4e0f22fb0a59eb25184710d88453c2625811
SHA256ec114016c3e8076661039cd4961b741206101a705f26ff385cb881e80e500b68
SHA512f1432029fb627695c48cd3c1ea037be39b153d31cdfa9efc37e86a3e28ae88693bc5bdb11bb11e75569c5071a1de13256b90b95b49459cb2b755df4bc4664784
-
Filesize
45B
MD5a6b2cbc038274921154dcbf64cc076cb
SHA1240e674d5ecc80a2c671ca1a3edac03dba302eeb
SHA256428fd3690080062b26a970f5adec10b6da06cefabd8d42b21ab736f874ace2db
SHA5127c1cb2fb48a99e923484eed5ffd8ddcca06f395bc61b071d3c98d44e349a2e374fe94ed98c8e70a30967d7e1eda1c84fc9749067f0598e47af778a6707870043
-
Filesize
56B
MD53ef045d517db664d7f64d66b65eb2ef4
SHA11e54c90ab24a161c307ca74e7bfbab23ca4795a2
SHA2569ae5ccde3335d02f3b0a5795652cb7e706121f9a8bc1a721e2d6ffb1847a5a7b
SHA512ec6b0f85cda02de19eff6094506c093395f6d45e521b2a3985f348ac71414c51b42464723dc7ab95e95c7e8f17fc4199435614cedfeca22630c23868d2377990
-
Filesize
7KB
MD5d9f8d8a30db8fb5daebe3d30f7fb8409
SHA111920679d52db7c304a9d7687ab5ee41c3cae8d4
SHA2562ac171ff0ad23ad0b2e2766383e3569e7b5f6ced05abfcdff344986f1ad6df4f
SHA512c4e0ac2a4a37199ed4d61e3ce0e2dd7d91542f2c3b490d0c8fe4ae1c9cda174348b463aa63bd704a47938853ebb429dfcca07fb3cffc430449dcb5474e96be81
-
Filesize
356KB
MD5d958277b511acf4f8dae3d75c594db6c
SHA1b9a2113f62e2f559d51d70a35c77dff7e39294ed
SHA256065d9b1dd188b626515ce09b19cd24d7e16a160ac5319136e65aa3c561657426
SHA51221f5bfd2e04283a8d32f79cb10c823a66ebebc9d7ca9fc9a14d8fc3e4b31de1d0232141336c5816b098598f0ec2f4f2db5cbe44e4ebfffc792f01f55c96c4441