Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 13:29
Behavioral task
behavioral1
Sample
JaffaCakes118_5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417.exe
Resource
win7-20241023-en
General
-
Target
JaffaCakes118_5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417.exe
-
Size
72KB
-
MD5
bbb8e40c8828fb4649ab6414cea472f8
-
SHA1
ee633e317ca9a66a97550aa6e5521803a27693e6
-
SHA256
5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417
-
SHA512
c9f9c41ba8c99cb3e913e6cffd63be0f5dfc81e08e056d0ce2083e16b344c0990b9455c21c07e7bf34ba46e9514d66d12966c02d2292b5e5e26aef90f2aed06c
-
SSDEEP
1536:QoD1Mth9k0XBq+adebTry5UNEN5rNKmVcl:QoD1Mthy0MXebTdk5JK8Y
Malware Config
Extracted
asyncrat
0.5.6D
Default
milla.publicvm.com:6606
milla.publicvm.com:7707
milla.publicvm.com:8808
bdeyjxzfhfrvuzdyrin
-
delay
3
-
install
true
-
install_file
firefoxa.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000c00000001202c-15.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2948 firefoxa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 3064 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 800 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2396 JaffaCakes118_5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417.exe 2396 JaffaCakes118_5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417.exe 2396 JaffaCakes118_5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2396 JaffaCakes118_5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417.exe Token: SeDebugPrivilege 2948 firefoxa.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2576 2396 JaffaCakes118_5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417.exe 30 PID 2396 wrote to memory of 2576 2396 JaffaCakes118_5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417.exe 30 PID 2396 wrote to memory of 2576 2396 JaffaCakes118_5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417.exe 30 PID 2396 wrote to memory of 2372 2396 JaffaCakes118_5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417.exe 32 PID 2396 wrote to memory of 2372 2396 JaffaCakes118_5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417.exe 32 PID 2396 wrote to memory of 2372 2396 JaffaCakes118_5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417.exe 32 PID 2372 wrote to memory of 3064 2372 cmd.exe 34 PID 2372 wrote to memory of 3064 2372 cmd.exe 34 PID 2372 wrote to memory of 3064 2372 cmd.exe 34 PID 2576 wrote to memory of 800 2576 cmd.exe 35 PID 2576 wrote to memory of 800 2576 cmd.exe 35 PID 2576 wrote to memory of 800 2576 cmd.exe 35 PID 2372 wrote to memory of 2948 2372 cmd.exe 37 PID 2372 wrote to memory of 2948 2372 cmd.exe 37 PID 2372 wrote to memory of 2948 2372 cmd.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn JaffaCakes118_5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417 /tr '"C:\Users\Admin\AppData\Roaming\firefoxa.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /ru system /rl highest /tn JaffaCakes118_5aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417 /tr '"C:\Users\Admin\AppData\Roaming\firefoxa.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:800
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC7B2.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3064
-
-
C:\Users\Admin\AppData\Roaming\firefoxa.exe"C:\Users\Admin\AppData\Roaming\firefoxa.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5df5b26b35d8da9c08974253d33932f07
SHA1862a4b57d25a2f54b2546b44e75f15ba14dfbad8
SHA2568ea64427908da04ad14afaef2adf1a43bc03c8ecf554880eb689ed3508b0512e
SHA512a95f834d10b8821fc7545ea76304f63cc20f846f0f2f6e6beaf0702710482d96eb9306b828e4b28602c53931c48f53cf7cadfa42053706e684ee374d354a8386
-
Filesize
72KB
MD5bbb8e40c8828fb4649ab6414cea472f8
SHA1ee633e317ca9a66a97550aa6e5521803a27693e6
SHA2565aaec1bda08134d46382d217dbeba5a93a5969cb6ad918c04476086a21e8d417
SHA512c9f9c41ba8c99cb3e913e6cffd63be0f5dfc81e08e056d0ce2083e16b344c0990b9455c21c07e7bf34ba46e9514d66d12966c02d2292b5e5e26aef90f2aed06c