Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 21:50
Behavioral task
behavioral1
Sample
26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe
-
Size
22KB
-
MD5
26595ef93171e77c30c72444ba6e5db5
-
SHA1
b0db24ae3c620954ee696d323171508cc4cc223e
-
SHA256
be48fcf0760558d0de4e79aa5f432a666c10d7e55b74dd63d0d628ef4a589f2a
-
SHA512
8117b6411fdb1c6f2ad2f25d480ed7d116a762fdd36e6c29bc1961c70689f6ec2d8813c5566fd2ad7768cfe7e4eef22fbaee8a83ec509dc0a84970d2e1813b22
-
SSDEEP
384:GurXb/lfW2U8g+qeIBlr1TzG8wVpmKG9LDWojYE0WQctn:bbtfQ80bB/Tq8wjmU/cp
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exeATI.exedescription ioc process File created C:\Windows\SysWOW64\drivers\beep.sys 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\beep.sys ATI.exe -
Processes:
resource yara_rule \Windows\SysWOW64\ATI.exe aspack_v212_v242 behavioral1/memory/2140-14-0x0000000000270000-0x0000000000278000-memory.dmp aspack_v212_v242 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3044 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
ATI.exepid process 2036 ATI.exe -
Loads dropped DLL 2 IoCs
Processes:
26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exepid process 2140 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe 2140 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
Processes:
26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exeATI.exedescription ioc process File created C:\Windows\SysWOW64\ATI.exe 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ATI.exe 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe File created C:\Windows\SysWOW64\ATI.exe ATI.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 480 480 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exeATI.exedescription pid process Token: SeIncBasePriorityPrivilege 2140 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2036 ATI.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exeATI.exedescription pid process target process PID 2140 wrote to memory of 2036 2140 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe ATI.exe PID 2140 wrote to memory of 2036 2140 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe ATI.exe PID 2140 wrote to memory of 2036 2140 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe ATI.exe PID 2140 wrote to memory of 2036 2140 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe ATI.exe PID 2036 wrote to memory of 2148 2036 ATI.exe cmd.exe PID 2036 wrote to memory of 2148 2036 ATI.exe cmd.exe PID 2036 wrote to memory of 2148 2036 ATI.exe cmd.exe PID 2036 wrote to memory of 2148 2036 ATI.exe cmd.exe PID 2140 wrote to memory of 3044 2140 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe cmd.exe PID 2140 wrote to memory of 3044 2140 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe cmd.exe PID 2140 wrote to memory of 3044 2140 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe cmd.exe PID 2140 wrote to memory of 3044 2140 26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26595ef93171e77c30c72444ba6e5db5_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ATI.exe"C:\Windows\system32\ATI.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\ATI.exe > nul3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\26595E~1.EXE > nul2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\drivers\beep.sysFilesize
2KB
MD55fd668ad46277cc087c14569bd508f7b
SHA1a401a642806991b49e39a08862fa5d462cf37bb6
SHA256aeeb1db06947f713973e60e1e87e9d5e0de15904586137b55a37d88925222662
SHA51251d303862887aec41d04bf1a00c1a43ca6c9f0ec91d2f0736a517250d11840e482c09e63447ec4ebc746b8328881d6fbd17ea401fc54e1044e41816f42175b1c
-
\Windows\SysWOW64\ATI.exeFilesize
22KB
MD526595ef93171e77c30c72444ba6e5db5
SHA1b0db24ae3c620954ee696d323171508cc4cc223e
SHA256be48fcf0760558d0de4e79aa5f432a666c10d7e55b74dd63d0d628ef4a589f2a
SHA5128117b6411fdb1c6f2ad2f25d480ed7d116a762fdd36e6c29bc1961c70689f6ec2d8813c5566fd2ad7768cfe7e4eef22fbaee8a83ec509dc0a84970d2e1813b22
-
memory/2036-15-0x0000000000400000-0x0000000000407028-memory.dmpFilesize
28KB
-
memory/2140-0-0x0000000000400000-0x0000000000407028-memory.dmpFilesize
28KB
-
memory/2140-5-0x0000000000270000-0x0000000000278000-memory.dmpFilesize
32KB
-
memory/2140-14-0x0000000000270000-0x0000000000278000-memory.dmpFilesize
32KB