Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 09:31
Behavioral task
behavioral1
Sample
1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe
-
Size
712KB
-
MD5
1ac753c59c28070cb10bf0eb25ee165c
-
SHA1
80f35da575f811a9ac21ebc9eb7e51ec9ddbe4d8
-
SHA256
62e858cdb0da451a083d794a0372412b8d3f47f781e85ce2eacbf0efcb1436b4
-
SHA512
42cb0eaeca8a2e0b1a45b5ce9c3ce7e7c1bc29cc9937dc2751434555b2a15f56d1dab9816acc7c4ecdee8f370e66dd2ca48c26e2fe7f8d21c33ce6f366aab551
-
SSDEEP
12288:RAw66iL7A40720OzBh7O6/M/SSCt1JMsRnaBl3ca:qw66iLl0720O1NnmjCvGSna
Malware Config
Signatures
-
Detect Blackmoon payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-0-0x0000000000400000-0x00000000004D3000-memory.dmp family_blackmoon C:\Windows\Logs\RunDllExe.exe family_blackmoon C:\Windows\Logs\RunDllExe_New family_blackmoon C:\Windows\Logs\RunDllExe family_blackmoon -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-0-0x0000000000400000-0x00000000004D3000-memory.dmp family_gh0strat -
Boot or Logon Autostart Execution: Port Monitors 1 TTPs 2 IoCs
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
Processes:
1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\RunDllExe 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\RunDllExe\Driver = "C:\\Windows\\Logs\\RunDllExe.dll" 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2988 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
RunDllExe.exeRunDllExe.exepid process 236 2164 RunDllExe.exe 2184 RunDllExe.exe -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 114.114.114.114 -
Suspicious use of SetThreadContext 2 IoCs
Processes:
RunDllExe.exeRunDllExe.exedescription pid process target process PID 2164 set thread context of 2576 2164 RunDllExe.exe svchost.exe PID 2184 set thread context of 2500 2184 RunDllExe.exe svchost.exe -
Drops file in Windows directory 12 IoCs
Processes:
1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exeRunDllExe.exeRunDllExe.exedescription ioc process File created C:\Windows\MpMgSvc.dll 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe File opened for modification C:\Windows\Logs\RunDllExe RunDllExe.exe File created C:\Windows\Logs\RunDllExe_New RunDllExe.exe File created C:\Windows\Logs\RunDllExe.exe 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe File created C:\Windows\Logs\RunDllExe 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe File opened for modification C:\Windows\Logs\RunDllExe.dll RunDllExe.exe File created C:\Windows\Logs\RunDllExe_New RunDllExe.exe File created C:\Windows\Logs\RunDllExe_New.dll RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe.dll RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe RunDllExe.exe File created C:\Windows\Logs\RunDllExe.dll 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe File created C:\Windows\Logs\RunDllExe_New.dll RunDllExe.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exeRunDllExe.exeRunDllExe.exepid process 2208 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe 2164 RunDllExe.exe 2184 RunDllExe.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
RunDllExe.exeRunDllExe.exe1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exedescription pid process target process PID 2164 wrote to memory of 2576 2164 RunDllExe.exe svchost.exe PID 2164 wrote to memory of 2576 2164 RunDllExe.exe svchost.exe PID 2164 wrote to memory of 2576 2164 RunDllExe.exe svchost.exe PID 2164 wrote to memory of 2576 2164 RunDllExe.exe svchost.exe PID 2164 wrote to memory of 2576 2164 RunDllExe.exe svchost.exe PID 2164 wrote to memory of 2576 2164 RunDllExe.exe svchost.exe PID 2164 wrote to memory of 2576 2164 RunDllExe.exe svchost.exe PID 2164 wrote to memory of 2576 2164 RunDllExe.exe svchost.exe PID 2164 wrote to memory of 2576 2164 RunDllExe.exe svchost.exe PID 2164 wrote to memory of 2576 2164 RunDllExe.exe svchost.exe PID 2184 wrote to memory of 2500 2184 RunDllExe.exe svchost.exe PID 2184 wrote to memory of 2500 2184 RunDllExe.exe svchost.exe PID 2184 wrote to memory of 2500 2184 RunDllExe.exe svchost.exe PID 2184 wrote to memory of 2500 2184 RunDllExe.exe svchost.exe PID 2184 wrote to memory of 2500 2184 RunDllExe.exe svchost.exe PID 2184 wrote to memory of 2500 2184 RunDllExe.exe svchost.exe PID 2184 wrote to memory of 2500 2184 RunDllExe.exe svchost.exe PID 2184 wrote to memory of 2500 2184 RunDllExe.exe svchost.exe PID 2184 wrote to memory of 2500 2184 RunDllExe.exe svchost.exe PID 2184 wrote to memory of 2500 2184 RunDllExe.exe svchost.exe PID 2208 wrote to memory of 2988 2208 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2988 2208 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2988 2208 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2988 2208 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe"1⤵
- Boot or Logon Autostart Execution: Port Monitors
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe"2⤵
- Deletes itself
-
C:\Windows\Logs\RunDllExe.exeC:\Windows\Logs\RunDllExe.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Windows\Logs\RunDllExe.exeC:\Windows\Logs\RunDllExe.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Logs\RunDllExeFilesize
160KB
MD51f83afec4500710f075a3370b19411a5
SHA1fc7ae8fbf9ff549aad248378e04c11cebf28b4cc
SHA2566510c821652d808cdbd32198d9fe8a0d525d4efb048961611bb2d8c6d34bcaa2
SHA51216a144ae12ea30ce4bc64394101e5f84c4189702abe516055dfc13dc65c1995f7f5538bbc62e150491e39752aa94a9b6754e029a6407b23f08b94cdb331fbc1e
-
C:\Windows\Logs\RunDllExe.dllFilesize
89KB
MD59d840cc07c97860169d948ec1683a929
SHA18abb377e6d187bb8ef9ea2e23c3ad543a07351ff
SHA256724e1b0966886c701dbafa9857bbfc044828e136424f9362a13cb72225d15096
SHA51295cb772c667c8237ef6bd3b48e4a7cd221fbd15438866d262cc4237b81b01702b4ea2e2c2b4c8383abd13cf977eb4450773e898b9ab4967e174cb613152b9cea
-
C:\Windows\Logs\RunDllExe.exeFilesize
160KB
MD5645564cf1c80e047a6e90ac0f2d6a6b7
SHA135e4b5e065b90fe5b1713e5a4645875f023b6a18
SHA2566f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9
SHA512e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21
-
C:\Windows\Logs\RunDllExe_NewFilesize
160KB
MD598d6d5bc6acb4f770310756bcb8f31e2
SHA155424d2f2abb60d9bf25758cb7a6f66337af5652
SHA25662f6912d47fb8687a0a57e22725b1338a82bb0c987d4094260238be44e4df4a4
SHA51252241c88f4fbbdee9cb3930cf6b3416995e0159093a5fc7408014e425c4f2d271bc6f4d1beb9c1a04b104072ba1dd7268f6d8f0df2b9d3f8d4afa69e66784bfc
-
C:\Windows\Logs\RunDllExe_New.dllFilesize
89KB
MD56ebd7f209d345fdef313db7c79743c6c
SHA1b3531f2d2c8838563769115cc20de6df34b51ff5
SHA256fdd8a377af006e1071916fd5df4a1beeef161479a71cf2b8babcf1a521d33e32
SHA5126ec2be459bfd7be31afd5dca5802322126d4b5f68dcd26ad6f1b82294ce0256f7d49040161f9f214f7bdf21668cff4ece2aeb1e38f27f216173408f939ce1cd8
-
\Windows\Logs\RunDllExe.dllFilesize
89KB
MD5c02d9300deea8aaa42bf5e9c56ddcf29
SHA14c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89
SHA25654dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5
SHA512c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1
-
memory/2208-0-0x0000000000400000-0x00000000004D3000-memory.dmpFilesize
844KB
-
memory/2500-53-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2576-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2576-12-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2576-10-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2576-8-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2576-15-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2576-18-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2576-25-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB