Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 20:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe
-
Size
73KB
-
MD5
e83ce979dc55bbf9380b7d6a5bc49749
-
SHA1
4f9d3e5e4b668bfc59bc7c715ed64542e3c18e64
-
SHA256
fe207bdb0a1d13a8294f4ee0ac2e93ffed1186ab861dd135df4225cca5db7498
-
SHA512
9c94d8a824702f2ac528f4d18392f96d541c4a0136761fea0c20aa7261ecc871e69888e78b9ed8da4c8dd6e217eae09f66a10be6c9ae637cec2b3e9d84a9310c
-
SSDEEP
768:eiJ/A2/85QjMpPFtkoVDU6BOcJ/eEGEs1POLUTeNJxyuEMqPZaKpid3b/Xs7ajZL:eiJ/hcJ9GEzUyNJxfEMqPZe3TsC3B
Malware Config
Signatures
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 3 IoCs
resource yara_rule behavioral2/memory/4664-13-0x000000007FBA0000-0x000000007FBA7000-memory.dmp family_bruteratel behavioral2/memory/4664-15-0x000000007FBA0000-0x000000007FBA7000-memory.dmp family_bruteratel behavioral2/memory/4664-26-0x000000007FBA0000-0x000000007FBA7000-memory.dmp family_bruteratel -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\65220 = "c:\\progra~3\\msfwrb.exe" msiexec.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 4664 msiexec.exe -
Blocklisted process makes network request 6 IoCs
flow pid Process 6 4664 msiexec.exe 12 4664 msiexec.exe 41 4664 msiexec.exe 42 4664 msiexec.exe 50 4664 msiexec.exe 51 4664 msiexec.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3420 set thread context of 624 3420 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 82 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created \??\c:\progra~3\msfwrb.exe msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 624 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 624 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 624 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 624 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
pid Process 624 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 624 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe 4664 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4664 msiexec.exe Token: SeBackupPrivilege 4664 msiexec.exe Token: SeRestorePrivilege 4664 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3420 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3420 wrote to memory of 624 3420 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 82 PID 3420 wrote to memory of 624 3420 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 82 PID 3420 wrote to memory of 624 3420 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 82 PID 3420 wrote to memory of 624 3420 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 82 PID 3420 wrote to memory of 624 3420 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 82 PID 3420 wrote to memory of 624 3420 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 82 PID 3420 wrote to memory of 624 3420 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 82 PID 624 wrote to memory of 4664 624 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 83 PID 624 wrote to memory of 4664 624 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 83 PID 624 wrote to memory of 4664 624 e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe 83 PID 4664 wrote to memory of 1896 4664 msiexec.exe 84 PID 4664 wrote to memory of 1896 4664 msiexec.exe 84 PID 4664 wrote to memory of 1896 4664 msiexec.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e83ce979dc55bbf9380b7d6a5bc49749_JaffaCakes118.exe"2⤵
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe3⤵
- UAC bypass
- Adds policy Run key to start application
- Deletes itself
- Blocklisted process makes network request
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1896
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5e83ce979dc55bbf9380b7d6a5bc49749
SHA14f9d3e5e4b668bfc59bc7c715ed64542e3c18e64
SHA256fe207bdb0a1d13a8294f4ee0ac2e93ffed1186ab861dd135df4225cca5db7498
SHA5129c94d8a824702f2ac528f4d18392f96d541c4a0136761fea0c20aa7261ecc871e69888e78b9ed8da4c8dd6e217eae09f66a10be6c9ae637cec2b3e9d84a9310c