Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe
-
Size
1008KB
-
MD5
03c05094cf24092a7227d245bcb7a75e
-
SHA1
8367243924d1c2c6c20e3e357461f599a83e354e
-
SHA256
ae34a99eaf1d629982f8db2db60b08d92d3b74d328dbecebe20a038597be7067
-
SHA512
89f30c4159576c5e70c803c1e9152035f343c0d0e5e7886409689f6a5ae8c9ad984291cdd2c5a62569f34982de80a0fd6b41aadcfa3fb634b418ca6dafac5dd2
-
SSDEEP
12288:Uh/bN4BIjGHZg+tnVFzXu8itCcdHa5N2XCKtKB2/K7fGym4yx1bTAEWsI0mmF+J0:UhyOjkd5VFzW9hUAXWB2CfGzvIeF
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 3296 svhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exedescription pid process target process PID 1380 set thread context of 3296 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exesvhost.exepid process 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe 3296 svhost.exe 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe 3296 svhost.exe 3296 svhost.exe 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe 3296 svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exesvhost.exedescription pid process Token: SeDebugPrivilege 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe Token: SeDebugPrivilege 3296 svhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svhost.exepid process 3296 svhost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.execmd.exedescription pid process target process PID 1380 wrote to memory of 1512 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe cmd.exe PID 1380 wrote to memory of 1512 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe cmd.exe PID 1380 wrote to memory of 1512 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe cmd.exe PID 1512 wrote to memory of 4916 1512 cmd.exe reg.exe PID 1512 wrote to memory of 4916 1512 cmd.exe reg.exe PID 1512 wrote to memory of 4916 1512 cmd.exe reg.exe PID 1380 wrote to memory of 3296 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe svhost.exe PID 1380 wrote to memory of 3296 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe svhost.exe PID 1380 wrote to memory of 3296 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe svhost.exe PID 1380 wrote to memory of 3296 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe svhost.exe PID 1380 wrote to memory of 3296 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe svhost.exe PID 1380 wrote to memory of 3296 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe svhost.exe PID 1380 wrote to memory of 3296 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe svhost.exe PID 1380 wrote to memory of 3296 1380 03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03c05094cf24092a7227d245bcb7a75e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\lsass.exe.lnk " /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\lsass.exeFilesize
1008KB
MD503c05094cf24092a7227d245bcb7a75e
SHA18367243924d1c2c6c20e3e357461f599a83e354e
SHA256ae34a99eaf1d629982f8db2db60b08d92d3b74d328dbecebe20a038597be7067
SHA51289f30c4159576c5e70c803c1e9152035f343c0d0e5e7886409689f6a5ae8c9ad984291cdd2c5a62569f34982de80a0fd6b41aadcfa3fb634b418ca6dafac5dd2
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
52KB
MD5a64daca3cfbcd039df3ec29d3eddd001
SHA1eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479
-
memory/1380-3-0x0000000074700000-0x0000000074CB1000-memory.dmpFilesize
5.7MB
-
memory/1380-0-0x0000000074700000-0x0000000074CB1000-memory.dmpFilesize
5.7MB
-
memory/1380-4-0x00000000016B0000-0x00000000016C0000-memory.dmpFilesize
64KB
-
memory/1380-2-0x00000000016B0000-0x00000000016C0000-memory.dmpFilesize
64KB
-
memory/1380-1-0x0000000074700000-0x0000000074CB1000-memory.dmpFilesize
5.7MB
-
memory/1380-17-0x0000000074700000-0x0000000074CB1000-memory.dmpFilesize
5.7MB
-
memory/3296-11-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/3296-14-0x0000000074700000-0x0000000074CB1000-memory.dmpFilesize
5.7MB
-
memory/3296-15-0x00000000011B0000-0x00000000011C0000-memory.dmpFilesize
64KB
-
memory/3296-18-0x0000000074700000-0x0000000074CB1000-memory.dmpFilesize
5.7MB
-
memory/3296-19-0x00000000011B0000-0x00000000011C0000-memory.dmpFilesize
64KB