Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 02:57
Behavioral task
behavioral1
Sample
JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe
-
Size
72KB
-
MD5
83e4f77cae137c7bff6a24007930ea56
-
SHA1
45139cb5e3d5dfde3a190481623a66cb6716e1af
-
SHA256
3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd
-
SHA512
a57d5d62a74a6d948db770f51497985b170c761f8c7ad849c9e6d8de902def26f1e8cc7c56498fb1f9c71cc84cc6b5fca5a12c703a35cb16c0cff48eb90b315c
-
SSDEEP
1536:EoD1Mth9MRwaeb4hSFqmOoy8grJKmVcl:EoD1MthMwaeb4G4ocNK8Y
Malware Config
Extracted
asyncrat
0.5.6D
Default
milla.publicvm.com:6606
milla.publicvm.com:7707
milla.publicvm.com:8808
sdjacffkienmtfsm
-
delay
9
-
install
true
-
install_file
firfafox.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000012117-15.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2716 firfafox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2856 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2584 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2996 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 2996 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 2996 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2996 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe Token: SeDebugPrivilege 2716 firfafox.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2996 wrote to memory of 2736 2996 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 30 PID 2996 wrote to memory of 2736 2996 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 30 PID 2996 wrote to memory of 2736 2996 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 30 PID 2996 wrote to memory of 2684 2996 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 32 PID 2996 wrote to memory of 2684 2996 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 32 PID 2996 wrote to memory of 2684 2996 JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe 32 PID 2736 wrote to memory of 2584 2736 cmd.exe 34 PID 2736 wrote to memory of 2584 2736 cmd.exe 34 PID 2736 wrote to memory of 2584 2736 cmd.exe 34 PID 2684 wrote to memory of 2856 2684 cmd.exe 35 PID 2684 wrote to memory of 2856 2684 cmd.exe 35 PID 2684 wrote to memory of 2856 2684 cmd.exe 35 PID 2684 wrote to memory of 2716 2684 cmd.exe 36 PID 2684 wrote to memory of 2716 2684 cmd.exe 36 PID 2684 wrote to memory of 2716 2684 cmd.exe 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd /tr '"C:\Users\Admin\AppData\Roaming\firfafox.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /ru system /rl highest /tn JaffaCakes118_3aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd /tr '"C:\Users\Admin\AppData\Roaming\firfafox.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2584
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2856
-
-
C:\Users\Admin\AppData\Roaming\firfafox.exe"C:\Users\Admin\AppData\Roaming\firfafox.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fc3dec551f6d93afdea107412fec0823
SHA1f3337ae24d683cb20e6195fd8901f0cf0cd7d4b2
SHA256837b3b7bbd9edb1c694efe7c73038656eb4e321c98901f2e055569b44e4d14a4
SHA512b5c5633d85ae613439336f93483a688b73e7e195525386885a8b5d83fd9ec4edf2e908bc99d5fbedb92185dafcf167b59cc327ab2af175987a1746d67724ca1f
-
Filesize
72KB
MD583e4f77cae137c7bff6a24007930ea56
SHA145139cb5e3d5dfde3a190481623a66cb6716e1af
SHA2563aa48400e3e1c4445de1af0ad00e98a503e6606eb979e0e546278f22bf0fb2cd
SHA512a57d5d62a74a6d948db770f51497985b170c761f8c7ad849c9e6d8de902def26f1e8cc7c56498fb1f9c71cc84cc6b5fca5a12c703a35cb16c0cff48eb90b315c