Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 11:44
Static task
static1
Behavioral task
behavioral1
Sample
1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe
-
Size
630KB
-
MD5
1f36ae9c549463f85413f1f79c0c5886
-
SHA1
d4c413853c03dd17acaada4c1d46195e57cb9017
-
SHA256
351b67cd53a80350ea7d34f069e85a2e4cb4d8050ef00f1e4a994f04326c78af
-
SHA512
e54ac588bcba670fe0d3dbbf21768cfa2c1af799c4fc9d2f16d01efbb0697fbf63eaa7ae16ac26e1ef31a1cb247eb6ce63f923dab0ab0d9efe9d3db20852b76c
-
SSDEEP
12288:v5kJ7Mj7pvwIQRdVoZ9NVlfndzfiX6gIGPQG+U:v5C4jVvW89N7fndzfpgFQG+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
nSClearText.exepid process 2620 nSClearText.exe -
Loads dropped DLL 1 IoCs
Processes:
1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exepid process 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral1/memory/2724-24-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2724-23-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2724-19-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2724-18-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2724-17-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2724-14-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2724-12-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2724-25-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2724-26-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2004-40-0x0000000000400000-0x00000000004EB000-memory.dmp upx behavioral1/memory/2004-44-0x0000000000400000-0x00000000004EB000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
WScript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\jdx = "C:\\Users\\Admin\\AppData\\Roaming\\jdx.exe" WScript.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exedescription pid process target process PID 2024 set thread context of 2724 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe cvtres.exe PID 2024 set thread context of 2004 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exepid process 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
cvtres.exe1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exevbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2724 cvtres.exe Token: SeSecurityPrivilege 2724 cvtres.exe Token: SeTakeOwnershipPrivilege 2724 cvtres.exe Token: SeLoadDriverPrivilege 2724 cvtres.exe Token: SeSystemProfilePrivilege 2724 cvtres.exe Token: SeSystemtimePrivilege 2724 cvtres.exe Token: SeProfSingleProcessPrivilege 2724 cvtres.exe Token: SeIncBasePriorityPrivilege 2724 cvtres.exe Token: SeCreatePagefilePrivilege 2724 cvtres.exe Token: SeBackupPrivilege 2724 cvtres.exe Token: SeRestorePrivilege 2724 cvtres.exe Token: SeShutdownPrivilege 2724 cvtres.exe Token: SeDebugPrivilege 2724 cvtres.exe Token: SeSystemEnvironmentPrivilege 2724 cvtres.exe Token: SeChangeNotifyPrivilege 2724 cvtres.exe Token: SeRemoteShutdownPrivilege 2724 cvtres.exe Token: SeUndockPrivilege 2724 cvtres.exe Token: SeManageVolumePrivilege 2724 cvtres.exe Token: SeImpersonatePrivilege 2724 cvtres.exe Token: SeCreateGlobalPrivilege 2724 cvtres.exe Token: 33 2724 cvtres.exe Token: 34 2724 cvtres.exe Token: 35 2724 cvtres.exe Token: SeDebugPrivilege 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2004 vbc.exe Token: SeSecurityPrivilege 2004 vbc.exe Token: SeTakeOwnershipPrivilege 2004 vbc.exe Token: SeLoadDriverPrivilege 2004 vbc.exe Token: SeSystemProfilePrivilege 2004 vbc.exe Token: SeSystemtimePrivilege 2004 vbc.exe Token: SeProfSingleProcessPrivilege 2004 vbc.exe Token: SeIncBasePriorityPrivilege 2004 vbc.exe Token: SeCreatePagefilePrivilege 2004 vbc.exe Token: SeBackupPrivilege 2004 vbc.exe Token: SeRestorePrivilege 2004 vbc.exe Token: SeShutdownPrivilege 2004 vbc.exe Token: SeDebugPrivilege 2004 vbc.exe Token: SeSystemEnvironmentPrivilege 2004 vbc.exe Token: SeChangeNotifyPrivilege 2004 vbc.exe Token: SeRemoteShutdownPrivilege 2004 vbc.exe Token: SeUndockPrivilege 2004 vbc.exe Token: SeManageVolumePrivilege 2004 vbc.exe Token: SeImpersonatePrivilege 2004 vbc.exe Token: SeCreateGlobalPrivilege 2004 vbc.exe Token: 33 2004 vbc.exe Token: 34 2004 vbc.exe Token: 35 2004 vbc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exedescription pid process target process PID 2024 wrote to memory of 624 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe cmd.exe PID 2024 wrote to memory of 624 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe cmd.exe PID 2024 wrote to memory of 624 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe cmd.exe PID 2024 wrote to memory of 624 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe cmd.exe PID 2024 wrote to memory of 1908 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe WScript.exe PID 2024 wrote to memory of 1908 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe WScript.exe PID 2024 wrote to memory of 1908 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe WScript.exe PID 2024 wrote to memory of 1908 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe WScript.exe PID 2024 wrote to memory of 2724 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe cvtres.exe PID 2024 wrote to memory of 2724 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe cvtres.exe PID 2024 wrote to memory of 2724 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe cvtres.exe PID 2024 wrote to memory of 2724 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe cvtres.exe PID 2024 wrote to memory of 2724 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe cvtres.exe PID 2024 wrote to memory of 2724 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe cvtres.exe PID 2024 wrote to memory of 2724 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe cvtres.exe PID 2024 wrote to memory of 2724 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe cvtres.exe PID 2024 wrote to memory of 2620 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe nSClearText.exe PID 2024 wrote to memory of 2620 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe nSClearText.exe PID 2024 wrote to memory of 2620 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe nSClearText.exe PID 2024 wrote to memory of 2620 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe nSClearText.exe PID 2024 wrote to memory of 2004 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe vbc.exe PID 2024 wrote to memory of 2004 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe vbc.exe PID 2024 wrote to memory of 2004 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe vbc.exe PID 2024 wrote to memory of 2004 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe vbc.exe PID 2024 wrote to memory of 2004 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe vbc.exe PID 2024 wrote to memory of 2004 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe vbc.exe PID 2024 wrote to memory of 2004 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe vbc.exe PID 2024 wrote to memory of 2004 2024 1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f36ae9c549463f85413f1f79c0c5886_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cd C:\Users\Admin\AppData\Roaming\ &&ren *.zgy *.exe && exit2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MTemp104.vbs"2⤵
- Adds Run key to start application
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\nSClearText.exeC:\Users\Admin\AppData\Local\Temp\nSClearText.exe2⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MTemp104.vbsFilesize
429B
MD5d4d3eb4e97c7387695972b24915e7530
SHA1087ba0cdd68b4cd6bae40b81935c0d273a1a97bd
SHA256f5b3191cb17353ca70f772b6208d26d04ba18076a709c20990836f75ee27a638
SHA512a9709a5552d7013fe28bfc1d3dc8479108377a14c1b131390747a6a80e25def6161f79fa8a9bd2179ee70f9dd1a212d940a28e3bd8dbd5165b552a191e1de8ac
-
C:\Users\Admin\AppData\Roaming\jdx.zgyFilesize
630KB
MD51f36ae9c549463f85413f1f79c0c5886
SHA1d4c413853c03dd17acaada4c1d46195e57cb9017
SHA256351b67cd53a80350ea7d34f069e85a2e4cb4d8050ef00f1e4a994f04326c78af
SHA512e54ac588bcba670fe0d3dbbf21768cfa2c1af799c4fc9d2f16d01efbb0697fbf63eaa7ae16ac26e1ef31a1cb247eb6ce63f923dab0ab0d9efe9d3db20852b76c
-
memory/2004-44-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2004-40-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2024-0-0x0000000074631000-0x0000000074632000-memory.dmpFilesize
4KB
-
memory/2024-1-0x0000000074630000-0x0000000074BDB000-memory.dmpFilesize
5.7MB
-
memory/2024-2-0x0000000074630000-0x0000000074BDB000-memory.dmpFilesize
5.7MB
-
memory/2024-41-0x0000000074630000-0x0000000074BDB000-memory.dmpFilesize
5.7MB
-
memory/2024-27-0x0000000074630000-0x0000000074BDB000-memory.dmpFilesize
5.7MB
-
memory/2724-17-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2724-18-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2724-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2724-14-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2724-12-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2724-25-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2724-26-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2724-19-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2724-23-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2724-24-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB
-
memory/2724-9-0x0000000000400000-0x00000000004EB000-memory.dmpFilesize
940KB