Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 09:31
Behavioral task
behavioral1
Sample
1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe
-
Size
712KB
-
MD5
1ac753c59c28070cb10bf0eb25ee165c
-
SHA1
80f35da575f811a9ac21ebc9eb7e51ec9ddbe4d8
-
SHA256
62e858cdb0da451a083d794a0372412b8d3f47f781e85ce2eacbf0efcb1436b4
-
SHA512
42cb0eaeca8a2e0b1a45b5ce9c3ce7e7c1bc29cc9937dc2751434555b2a15f56d1dab9816acc7c4ecdee8f370e66dd2ca48c26e2fe7f8d21c33ce6f366aab551
-
SSDEEP
12288:RAw66iL7A40720OzBh7O6/M/SSCt1JMsRnaBl3ca:qw66iLl0720O1NnmjCvGSna
Malware Config
Signatures
-
Detect Blackmoon payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4544-0-0x0000000000400000-0x00000000004D3000-memory.dmp family_blackmoon C:\Windows\Logs\RunDllExe.exe family_blackmoon C:\Windows\Logs\RunDllExe_New family_blackmoon -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4544-0-0x0000000000400000-0x00000000004D3000-memory.dmp family_gh0strat -
Boot or Logon Autostart Execution: Port Monitors 1 TTPs 2 IoCs
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
Processes:
1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\RunDllExe 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\RunDllExe\Driver = "C:\\Windows\\Logs\\RunDllExe.dll" 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
Processes:
RunDllExe.exeRunDllExe.exepid process 2104 4664 RunDllExe.exe 1268 RunDllExe.exe -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 114.114.114.114 -
Suspicious use of SetThreadContext 2 IoCs
Processes:
RunDllExe.exeRunDllExe.exedescription pid process target process PID 1268 set thread context of 2244 1268 RunDllExe.exe svchost.exe PID 4664 set thread context of 560 4664 RunDllExe.exe svchost.exe -
Drops file in Windows directory 9 IoCs
Processes:
RunDllExe.exeRunDllExe.exe1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\Logs\RunDllExe.dll RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe RunDllExe.exe File created C:\Windows\Logs\RunDllExe.exe 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe File created C:\Windows\Logs\RunDllExe 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe File created C:\Windows\Logs\RunDllExe_New.dll RunDllExe.exe File created C:\Windows\Logs\RunDllExe_New RunDllExe.exe File created C:\Windows\Logs\RunDllExe.dll 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe File created C:\Windows\MpMgSvc.dll 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe File created C:\Windows\Logs\RunDllExe_New.dll RunDllExe.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exeRunDllExe.exeRunDllExe.exepid process 4544 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe 4664 RunDllExe.exe 1268 RunDllExe.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
RunDllExe.exeRunDllExe.exe1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exedescription pid process target process PID 1268 wrote to memory of 2244 1268 RunDllExe.exe svchost.exe PID 1268 wrote to memory of 2244 1268 RunDllExe.exe svchost.exe PID 1268 wrote to memory of 2244 1268 RunDllExe.exe svchost.exe PID 4664 wrote to memory of 560 4664 RunDllExe.exe svchost.exe PID 4664 wrote to memory of 560 4664 RunDllExe.exe svchost.exe PID 4664 wrote to memory of 560 4664 RunDllExe.exe svchost.exe PID 1268 wrote to memory of 2244 1268 RunDllExe.exe svchost.exe PID 4664 wrote to memory of 560 4664 RunDllExe.exe svchost.exe PID 1268 wrote to memory of 2244 1268 RunDllExe.exe svchost.exe PID 4664 wrote to memory of 560 4664 RunDllExe.exe svchost.exe PID 1268 wrote to memory of 2244 1268 RunDllExe.exe svchost.exe PID 4664 wrote to memory of 560 4664 RunDllExe.exe svchost.exe PID 1268 wrote to memory of 2244 1268 RunDllExe.exe svchost.exe PID 4664 wrote to memory of 560 4664 RunDllExe.exe svchost.exe PID 1268 wrote to memory of 2244 1268 RunDllExe.exe svchost.exe PID 4664 wrote to memory of 560 4664 RunDllExe.exe svchost.exe PID 1268 wrote to memory of 2244 1268 RunDllExe.exe svchost.exe PID 4664 wrote to memory of 560 4664 RunDllExe.exe svchost.exe PID 4544 wrote to memory of 2352 4544 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe cmd.exe PID 4544 wrote to memory of 2352 4544 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe cmd.exe PID 4544 wrote to memory of 2352 4544 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe"1⤵
- Boot or Logon Autostart Execution: Port Monitors
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe"2⤵
-
C:\Windows\Logs\RunDllExe.exeC:\Windows\Logs\RunDllExe.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Windows\Logs\RunDllExe.exeC:\Windows\Logs\RunDllExe.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2860,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4280 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Logs\RunDllExe.dllFilesize
89KB
MD5c02d9300deea8aaa42bf5e9c56ddcf29
SHA14c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89
SHA25654dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5
SHA512c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1
-
C:\Windows\Logs\RunDllExe.exeFilesize
160KB
MD5645564cf1c80e047a6e90ac0f2d6a6b7
SHA135e4b5e065b90fe5b1713e5a4645875f023b6a18
SHA2566f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9
SHA512e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21
-
C:\Windows\Logs\RunDllExe_NewFilesize
160KB
MD58b3b63e0a2d7b602a7246fe2ee36b0e3
SHA1bc667c2e48d5b8a4eda2823a1f486e5fb5adfecf
SHA256aa6d2d3db4f2b887dc2f9e28756d64d71fb896e3a1b632ce0abf40ce8f800961
SHA51244c37e4e0300ea0d562ef03c30bf2a3485c26504ffe305502111e8fda7d34c1d0aa4a4631cd2f40967e1ec76ab42d84e9a441d9b791110fb95179ead70b5a519
-
C:\Windows\Logs\RunDllExe_New.dllFilesize
89KB
MD57b7ad54ebda8bb1e3a41427b9c488e33
SHA105aabb09d80bf6e3a6af7b9bbcda74aa1eb3633e
SHA2561bc461cdfbcbb870e2c08e2521b3ec6ddb77c49e556b45aa64736a2d3c28e919
SHA512933a90b1048226ff49241618f5e6299613b969e6c884f66c55a77f5810b9c5d56260a010fb750ab9c9f0c163981ca57ef5348fb3cbbc2a55e4d1a13bc5e40549
-
memory/2244-11-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2244-35-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2244-13-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2244-9-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4544-0-0x0000000000400000-0x00000000004D3000-memory.dmpFilesize
844KB