Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 23:55
Static task
static1
Behavioral task
behavioral1
Sample
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe
-
Size
351KB
-
MD5
20582340f93fdefaaeb114ffd7f659e2
-
SHA1
2b298bc579a805f020d0f8c2a4ec8dafada61417
-
SHA256
e37938245442bf4c1114da250f93cb5cc2fea5c35e50883b819f3c8afc4ab363
-
SHA512
31bd2f9061d6026f9cd8ada6f57e07a4c1c4db7ee7ff9bb279cd6659b848f23917e264cf65af31fb3ce5f592a2a6358b931341d0e660f9f82c525379834bbb5d
-
SSDEEP
6144:kOzzBxDMAYloj1/L8YEAQwgG5hOm3Y/eUObRPlV:VvBxDMAzjN4YEAFMmo/AbRP
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1252 netsh.exe -
Drops startup file 2 IoCs
Processes:
UpdateGoogle.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4b11d4cad7102d66f494861052a39573.exe UpdateGoogle.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4b11d4cad7102d66f494861052a39573.exe UpdateGoogle.exe -
Executes dropped EXE 2 IoCs
Processes:
UpdateGoogle.exeUpdateGoogle.exepid process 2436 UpdateGoogle.exe 2196 UpdateGoogle.exe -
Loads dropped DLL 2 IoCs
Processes:
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exepid process 2672 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 2436 UpdateGoogle.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1976-3-0x0000000005100000-0x0000000005128000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
UpdateGoogle.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\4b11d4cad7102d66f494861052a39573 = "\"C:\\Users\\Admin\\AppData\\Roaming\\UpdateGoogle.exe\" .." UpdateGoogle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4b11d4cad7102d66f494861052a39573 = "\"C:\\Users\\Admin\\AppData\\Roaming\\UpdateGoogle.exe\" .." UpdateGoogle.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exedescription pid process target process PID 1976 set thread context of 2672 1976 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 2436 set thread context of 2196 2436 UpdateGoogle.exe UpdateGoogle.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exeUpdateGoogle.exepid process 1976 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 1976 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 2436 UpdateGoogle.exe 2436 UpdateGoogle.exe 2196 UpdateGoogle.exe 2196 UpdateGoogle.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exeUpdateGoogle.exedescription pid process Token: SeDebugPrivilege 1976 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe Token: SeDebugPrivilege 2436 UpdateGoogle.exe Token: SeDebugPrivilege 2196 UpdateGoogle.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exepid process 2672 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 2196 UpdateGoogle.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exeUpdateGoogle.exeUpdateGoogle.exedescription pid process target process PID 1976 wrote to memory of 2672 1976 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 1976 wrote to memory of 2672 1976 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 1976 wrote to memory of 2672 1976 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 1976 wrote to memory of 2672 1976 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 1976 wrote to memory of 2672 1976 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 1976 wrote to memory of 2672 1976 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 1976 wrote to memory of 2672 1976 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 1976 wrote to memory of 2672 1976 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 1976 wrote to memory of 2672 1976 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe PID 2672 wrote to memory of 2436 2672 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe UpdateGoogle.exe PID 2672 wrote to memory of 2436 2672 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe UpdateGoogle.exe PID 2672 wrote to memory of 2436 2672 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe UpdateGoogle.exe PID 2672 wrote to memory of 2436 2672 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe UpdateGoogle.exe PID 2672 wrote to memory of 2436 2672 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe UpdateGoogle.exe PID 2672 wrote to memory of 2436 2672 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe UpdateGoogle.exe PID 2672 wrote to memory of 2436 2672 20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe UpdateGoogle.exe PID 2436 wrote to memory of 2196 2436 UpdateGoogle.exe UpdateGoogle.exe PID 2436 wrote to memory of 2196 2436 UpdateGoogle.exe UpdateGoogle.exe PID 2436 wrote to memory of 2196 2436 UpdateGoogle.exe UpdateGoogle.exe PID 2436 wrote to memory of 2196 2436 UpdateGoogle.exe UpdateGoogle.exe PID 2436 wrote to memory of 2196 2436 UpdateGoogle.exe UpdateGoogle.exe PID 2436 wrote to memory of 2196 2436 UpdateGoogle.exe UpdateGoogle.exe PID 2436 wrote to memory of 2196 2436 UpdateGoogle.exe UpdateGoogle.exe PID 2436 wrote to memory of 2196 2436 UpdateGoogle.exe UpdateGoogle.exe PID 2436 wrote to memory of 2196 2436 UpdateGoogle.exe UpdateGoogle.exe PID 2436 wrote to memory of 2196 2436 UpdateGoogle.exe UpdateGoogle.exe PID 2436 wrote to memory of 2196 2436 UpdateGoogle.exe UpdateGoogle.exe PID 2436 wrote to memory of 2196 2436 UpdateGoogle.exe UpdateGoogle.exe PID 2196 wrote to memory of 1252 2196 UpdateGoogle.exe netsh.exe PID 2196 wrote to memory of 1252 2196 UpdateGoogle.exe netsh.exe PID 2196 wrote to memory of 1252 2196 UpdateGoogle.exe netsh.exe PID 2196 wrote to memory of 1252 2196 UpdateGoogle.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\20582340f93fdefaaeb114ffd7f659e2_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe"C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe"C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\UpdateGoogle.exe" "UpdateGoogle.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\UpdateGoogle.exeFilesize
351KB
MD520582340f93fdefaaeb114ffd7f659e2
SHA12b298bc579a805f020d0f8c2a4ec8dafada61417
SHA256e37938245442bf4c1114da250f93cb5cc2fea5c35e50883b819f3c8afc4ab363
SHA51231bd2f9061d6026f9cd8ada6f57e07a4c1c4db7ee7ff9bb279cd6659b848f23917e264cf65af31fb3ce5f592a2a6358b931341d0e660f9f82c525379834bbb5d
-
memory/1976-18-0x0000000074010000-0x00000000746FE000-memory.dmpFilesize
6.9MB
-
memory/1976-1-0x0000000000A80000-0x0000000000ADE000-memory.dmpFilesize
376KB
-
memory/1976-2-0x0000000074010000-0x00000000746FE000-memory.dmpFilesize
6.9MB
-
memory/1976-3-0x0000000005100000-0x0000000005128000-memory.dmpFilesize
160KB
-
memory/1976-4-0x0000000074010000-0x00000000746FE000-memory.dmpFilesize
6.9MB
-
memory/1976-5-0x0000000000770000-0x0000000000784000-memory.dmpFilesize
80KB
-
memory/1976-6-0x0000000000710000-0x0000000000716000-memory.dmpFilesize
24KB
-
memory/1976-0-0x000000007401E000-0x000000007401F000-memory.dmpFilesize
4KB
-
memory/2196-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2436-30-0x0000000000410000-0x0000000000424000-memory.dmpFilesize
80KB
-
memory/2436-29-0x00000000008E0000-0x000000000093E000-memory.dmpFilesize
376KB
-
memory/2672-10-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2672-17-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2672-13-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2672-19-0x0000000074010000-0x00000000746FE000-memory.dmpFilesize
6.9MB
-
memory/2672-15-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2672-21-0x0000000074010000-0x00000000746FE000-memory.dmpFilesize
6.9MB
-
memory/2672-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2672-9-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2672-28-0x0000000074010000-0x00000000746FE000-memory.dmpFilesize
6.9MB
-
memory/2672-8-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2672-7-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB