Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 16:40
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe
-
Size
226KB
-
MD5
5c7539eb8bd4f1de9ee82d82fb579004
-
SHA1
a14b51d2a28e6a87e1a70af3d1c509eb48e1ad29
-
SHA256
4e201af7f5247616567a18647dac8dc88189e98ef7aba65990cf2f6190ddea1d
-
SHA512
2d717942490de0aa5e01c01c44d2e982a725519e61dc4959c9147f8a959b3d212509b98734423d2b03b7bfb8d304043affd4b8c0d0cac0cd2ab33be084313e81
-
SSDEEP
3072:T7lEsddl6ynhIgTbAp2AatRdTj4LQvrcfHfQDihV2s5ZKaBu0cKe48PIQNLfAahy:2gPAYZm0r4f7VbHu2x6HNca3LQ
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 2 IoCs
pid Process 2468 kcy.exe 2616 kcy.exe -
Loads dropped DLL 2 IoCs
pid Process 1324 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 1324 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe -
Modifies system executable filetype association 2 TTPs 17 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\open kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\kcy.exe\" -a \"%1\" %*" kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\Content Type = "application/x-msdownload" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\runas kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\start\command kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\ = "Application" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\runas\command kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\start kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\DefaultIcon kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\DefaultIcon\ = "%1" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\open\command kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" kcy.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe" kcy.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1796 set thread context of 1324 1796 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 30 PID 2468 set thread context of 2616 2468 kcy.exe 35 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kcy.exe -
Modifies registry class 41 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\DefaultIcon kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\open kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\runas\command kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\start\command kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\ = "Application" kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\Content Type = "application/x-msdownload" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\start kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\start kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\kcy.exe\" -a \"%1\" %*" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\ = "exefile" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\runas kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\runas\command kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\Content Type = "application/x-msdownload" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\open\command kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\DefaultIcon\ = "%1" kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\DefaultIcon kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\open kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\kcy.exe\" -a \"%1\" %*" kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\DefaultIcon\ = "%1" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\open\command kcy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\runas kcy.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\exefile\shell\start\command kcy.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1324 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 1324 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 1324 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 1324 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 1324 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 1324 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 1324 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 1324 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 1324 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 2616 kcy.exe 2616 kcy.exe 2616 kcy.exe 2616 kcy.exe 2616 kcy.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2184 explorer.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe Token: SeShutdownPrivilege 2184 explorer.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2616 kcy.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2616 kcy.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2184 explorer.exe 2616 kcy.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1796 wrote to memory of 1324 1796 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 30 PID 1796 wrote to memory of 1324 1796 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 30 PID 1796 wrote to memory of 1324 1796 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 30 PID 1796 wrote to memory of 1324 1796 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 30 PID 1796 wrote to memory of 1324 1796 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 30 PID 1796 wrote to memory of 1324 1796 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 30 PID 1796 wrote to memory of 1324 1796 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 30 PID 1796 wrote to memory of 1324 1796 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 30 PID 1324 wrote to memory of 2468 1324 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 32 PID 1324 wrote to memory of 2468 1324 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 32 PID 1324 wrote to memory of 2468 1324 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 32 PID 1324 wrote to memory of 2468 1324 JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe 32 PID 2468 wrote to memory of 2616 2468 kcy.exe 35 PID 2468 wrote to memory of 2616 2468 kcy.exe 35 PID 2468 wrote to memory of 2616 2468 kcy.exe 35 PID 2468 wrote to memory of 2616 2468 kcy.exe 35 PID 2468 wrote to memory of 2616 2468 kcy.exe 35 PID 2468 wrote to memory of 2616 2468 kcy.exe 35 PID 2468 wrote to memory of 2616 2468 kcy.exe 35 PID 2468 wrote to memory of 2616 2468 kcy.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Local\kcy.exe"C:\Users\Admin\AppData\Local\kcy.exe" -gav C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7539eb8bd4f1de9ee82d82fb579004.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\kcy.exe"C:\Users\Admin\AppData\Local\kcy.exe"4⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2616
-
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2184
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226KB
MD55c7539eb8bd4f1de9ee82d82fb579004
SHA1a14b51d2a28e6a87e1a70af3d1c509eb48e1ad29
SHA2564e201af7f5247616567a18647dac8dc88189e98ef7aba65990cf2f6190ddea1d
SHA5122d717942490de0aa5e01c01c44d2e982a725519e61dc4959c9147f8a959b3d212509b98734423d2b03b7bfb8d304043affd4b8c0d0cac0cd2ab33be084313e81