Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 01:59
Static task
static1
Behavioral task
behavioral1
Sample
ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe
-
Size
259KB
-
MD5
ac8348dd8319365d4857b1e20715c6da
-
SHA1
5c5b1008a7a96015f2588fd60ddc0b4739f74fb5
-
SHA256
a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0
-
SHA512
eed7640b28d4b023cd4c252ed812820221aca61f969ca2e6d5f59aad5532fae07d17401272dd36a3c49641136fa8a95d1e1d801076deb8eac97222f506f0ac86
-
SSDEEP
6144:nQ6ixI8UKltZMbvRrUjZMlbHHOLGqJ/89GEgr/KLUygLMh:Q6ie8UKl7M7RA1MRn5t9wrSLbK
Malware Config
Extracted
buer
https://kackdelar.top/
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2124-5-0x0000000040000000-0x000000004000C000-memory.dmp buer behavioral1/memory/2124-7-0x0000000040000000-0x000000004000C000-memory.dmp buer behavioral1/memory/2124-8-0x0000000040000000-0x000000004000C000-memory.dmp buer behavioral1/memory/2124-10-0x0000000040000000-0x000000004000C000-memory.dmp buer -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
RegAsm.exedescription ioc process File opened (read-only) \??\G: RegAsm.exe File opened (read-only) \??\H: RegAsm.exe File opened (read-only) \??\R: RegAsm.exe File opened (read-only) \??\V: RegAsm.exe File opened (read-only) \??\Z: RegAsm.exe File opened (read-only) \??\A: RegAsm.exe File opened (read-only) \??\E: RegAsm.exe File opened (read-only) \??\I: RegAsm.exe File opened (read-only) \??\K: RegAsm.exe File opened (read-only) \??\L: RegAsm.exe File opened (read-only) \??\O: RegAsm.exe File opened (read-only) \??\T: RegAsm.exe File opened (read-only) \??\B: RegAsm.exe File opened (read-only) \??\J: RegAsm.exe File opened (read-only) \??\N: RegAsm.exe File opened (read-only) \??\S: RegAsm.exe File opened (read-only) \??\U: RegAsm.exe File opened (read-only) \??\W: RegAsm.exe File opened (read-only) \??\X: RegAsm.exe File opened (read-only) \??\Y: RegAsm.exe File opened (read-only) \??\M: RegAsm.exe File opened (read-only) \??\P: RegAsm.exe File opened (read-only) \??\Q: RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exedescription pid process target process PID 2180 set thread context of 2124 2180 ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exeRegAsm.exepid process 2704 powershell.exe 2124 RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exepid process 2180 ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2704 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exeRegAsm.exedescription pid process target process PID 2180 wrote to memory of 2124 2180 ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe RegAsm.exe PID 2180 wrote to memory of 2124 2180 ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe RegAsm.exe PID 2180 wrote to memory of 2124 2180 ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe RegAsm.exe PID 2180 wrote to memory of 2124 2180 ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe RegAsm.exe PID 2180 wrote to memory of 2124 2180 ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe RegAsm.exe PID 2180 wrote to memory of 2124 2180 ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe RegAsm.exe PID 2180 wrote to memory of 2124 2180 ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe RegAsm.exe PID 2180 wrote to memory of 2124 2180 ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe RegAsm.exe PID 2124 wrote to memory of 2704 2124 RegAsm.exe powershell.exe PID 2124 wrote to memory of 2704 2124 RegAsm.exe powershell.exe PID 2124 wrote to memory of 2704 2124 RegAsm.exe powershell.exe PID 2124 wrote to memory of 2704 2124 RegAsm.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ac8348dd8319365d4857b1e20715c6da_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\f3a1e8b680609eb0e75d}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2124-5-0x0000000040000000-0x000000004000C000-memory.dmpFilesize
48KB
-
memory/2124-7-0x0000000040000000-0x000000004000C000-memory.dmpFilesize
48KB
-
memory/2124-8-0x0000000040000000-0x000000004000C000-memory.dmpFilesize
48KB
-
memory/2124-10-0x0000000040000000-0x000000004000C000-memory.dmpFilesize
48KB
-
memory/2180-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmpFilesize
4KB
-
memory/2180-1-0x00000000008A0000-0x00000000008E8000-memory.dmpFilesize
288KB
-
memory/2180-2-0x0000000074D90000-0x000000007547E000-memory.dmpFilesize
6.9MB
-
memory/2180-3-0x0000000004140000-0x0000000004156000-memory.dmpFilesize
88KB
-
memory/2180-4-0x0000000074D90000-0x000000007547E000-memory.dmpFilesize
6.9MB
-
memory/2180-9-0x0000000074D90000-0x000000007547E000-memory.dmpFilesize
6.9MB