Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 08:09
Static task
static1
Behavioral task
behavioral1
Sample
253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe
-
Size
278KB
-
MD5
253a01a3885449b469b5d48701c1f1b0
-
SHA1
c152218d2ed37052b8e5808c45246bbb0dd7f8cd
-
SHA256
54eead45e2f5c5d49a65e9b6d2ccb79dad19acd6952713dddbdb1deedac57936
-
SHA512
91f30a2ccf7f2ed339c7531f130058af77629ccf538da88c819b5994cfdc13ff343d4cd52bc676436de201ad2252e7db5f8a3692b50fee146c72681b3cc8f089
-
SSDEEP
6144:rwmpb9Zz43C+A9cvUEEpXYMSkDZcxOqcDIrM:rwml9t43CTAM1uZA
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
8D42.tmppid process 1196 8D42.tmp -
Loads dropped DLL 2 IoCs
Processes:
253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exepid process 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2468-2-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2468-1-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/744-12-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/744-13-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2468-14-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/3008-72-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/3008-73-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2468-74-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2468-75-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2468-159-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2468-194-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BF2.exe = "C:\\Program Files (x86)\\LP\\4E5E\\BF2.exe" 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
Processes:
253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\LP\4E5E\BF2.exe 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\4E5E\8D42.tmp 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\4E5E\BF2.exe 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exepid process 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1732 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
msiexec.exeexplorer.exedescription pid process Token: SeRestorePrivilege 2784 msiexec.exe Token: SeTakeOwnershipPrivilege 2784 msiexec.exe Token: SeSecurityPrivilege 2784 msiexec.exe Token: SeShutdownPrivilege 1732 explorer.exe Token: SeShutdownPrivilege 1732 explorer.exe Token: SeShutdownPrivilege 1732 explorer.exe Token: SeShutdownPrivilege 1732 explorer.exe Token: SeShutdownPrivilege 1732 explorer.exe Token: SeShutdownPrivilege 1732 explorer.exe Token: SeShutdownPrivilege 1732 explorer.exe Token: SeShutdownPrivilege 1732 explorer.exe Token: SeShutdownPrivilege 1732 explorer.exe Token: SeShutdownPrivilege 1732 explorer.exe Token: SeShutdownPrivilege 1732 explorer.exe Token: SeShutdownPrivilege 1732 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
Processes:
explorer.exepid process 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe 1732 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exedescription pid process target process PID 2468 wrote to memory of 744 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe PID 2468 wrote to memory of 744 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe PID 2468 wrote to memory of 744 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe PID 2468 wrote to memory of 744 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe PID 2468 wrote to memory of 3008 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe PID 2468 wrote to memory of 3008 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe PID 2468 wrote to memory of 3008 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe PID 2468 wrote to memory of 3008 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe PID 2468 wrote to memory of 1196 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 8D42.tmp PID 2468 wrote to memory of 1196 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 8D42.tmp PID 2468 wrote to memory of 1196 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 8D42.tmp PID 2468 wrote to memory of 1196 2468 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe 8D42.tmp -
System policy modification 1 TTPs 2 IoCs
Processes:
253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\ECE51\EBC4E.exe%C:\Users\Admin\AppData\Roaming\ECE512⤵
-
C:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\253a01a3885449b469b5d48701c1f1b0_JaffaCakes118.exe startC:\Program Files (x86)\512A0\lvvm.exe%C:\Program Files (x86)\512A02⤵
-
C:\Program Files (x86)\LP\4E5E\8D42.tmp"C:\Program Files (x86)\LP\4E5E\8D42.tmp"2⤵
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ECE51\12A0.CE5Filesize
600B
MD5c6c26586c79f8814081b8e76ac3eb12e
SHA1c0a3690a8589976ee53765e35d8beb7c27160e5f
SHA256501c84b09ca721723ac1fdafc4eb58142f0fb3913809624de78330698f058668
SHA512dbc4415ae78299558ed95e8332f5cc81984dca8a9e03b5ee84032f54146ffe8eb7c714367505995c65644abf756698c3fea5fa0e33728734999262c4a3bd802a
-
C:\Users\Admin\AppData\Roaming\ECE51\12A0.CE5Filesize
1KB
MD540c7fe7d802473d54079644f2e41ce34
SHA185d6bb79f96427019ba5c94dacc3cbf2146d65fe
SHA256d6a72edfd903e9de00d2f867b6c2e8d4c2a41c10b94492e72786becf29105f0d
SHA512cc57457f86948fc007440ba2f577551823e4c6b572f5cbe1a6c3e12ba1440d5288519bb3f04bd2d19db7dd2598915e26985ccadc50d2813f83c49ea4cb391177
-
C:\Users\Admin\AppData\Roaming\ECE51\12A0.CE5Filesize
996B
MD531ce78fb303023525a312955333db42d
SHA1577df2fb7606367de8796711322e7c8ebd531645
SHA2566e7f64919c2e77f59bb2c51f9332e4e6376833a679734f2ae71d95ac9da136ec
SHA512db461f41a476bb23e10a46c4ddf2f34cf8467e0b54bb8f9a9240940e7e7835f63d89c18d70e1674367979a56abf5832593be89861c99b59639897a77afa4c424
-
\Program Files (x86)\LP\4E5E\8D42.tmpFilesize
97KB
MD578193d48f57272fd9ea2e44ed86d608c
SHA11e70368bb5a0932f868fdddb22fd23dd2e7dedeb
SHA256c09d0876bbf956eb381d92a3e9dd61d49a4d65c1d2b65d3d42cb795256804aae
SHA5124f55914fe2d3780f174843b9f3666a10f63caae9634af925da3dc6aea5a3f6ab9e6ebf693698b781931ce794919558c59f7bfa22be94dc8b556784d948fa14c1
-
memory/744-12-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/744-13-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1196-193-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2468-74-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2468-2-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2468-75-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2468-159-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2468-14-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2468-1-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/2468-194-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/3008-73-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3008-72-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB