Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 21:21
Behavioral task
behavioral1
Sample
a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe
-
Size
160KB
-
MD5
a6f49268044adfb73e4f8ea088c3dcfa
-
SHA1
5b92442c8945f9edf38e8126fc89020f53246004
-
SHA256
5df09e43f7d1ec24ee6bfb27102dfbaf466c620613338d1a28c0cff86b128e3e
-
SHA512
57f0dea14fae90415722ec137c910148a2aeef0f6f101f8da6542ca61ca00edf8369b0020fc64bcc11c7cac37a5021bc7bb7af55f9605c9fea5622f1403d5a68
-
SSDEEP
1536:CEY+mFM2HXKZgi0Iksu+XM5/HtAQ9J6xph:JY+4MiIkLZJNAQ9J6v
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4536-0-0x0000000000400000-0x0000000000428000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B5BEC9FD = "C:\\Users\\Admin\\AppData\\Roaming\\B5BEC9FD\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe 4112 winver.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
Explorer.EXERuntimeBroker.exedescription pid process Token: SeShutdownPrivilege 3360 Explorer.EXE Token: SeCreatePagefilePrivilege 3360 Explorer.EXE Token: SeShutdownPrivilege 3360 Explorer.EXE Token: SeCreatePagefilePrivilege 3360 Explorer.EXE Token: SeShutdownPrivilege 3360 Explorer.EXE Token: SeCreatePagefilePrivilege 3360 Explorer.EXE Token: SeShutdownPrivilege 3360 Explorer.EXE Token: SeCreatePagefilePrivilege 3360 Explorer.EXE Token: SeShutdownPrivilege 3360 Explorer.EXE Token: SeCreatePagefilePrivilege 3360 Explorer.EXE Token: SeShutdownPrivilege 4008 RuntimeBroker.exe Token: SeShutdownPrivilege 4008 RuntimeBroker.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
winver.exeExplorer.EXEpid process 4112 winver.exe 3360 Explorer.EXE 3360 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3360 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exewinver.exemsedge.exedescription pid process target process PID 4536 wrote to memory of 4112 4536 a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe winver.exe PID 4536 wrote to memory of 4112 4536 a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe winver.exe PID 4536 wrote to memory of 4112 4536 a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe winver.exe PID 4536 wrote to memory of 4112 4536 a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe winver.exe PID 4112 wrote to memory of 3360 4112 winver.exe Explorer.EXE PID 4112 wrote to memory of 2400 4112 winver.exe sihost.exe PID 4112 wrote to memory of 2420 4112 winver.exe svchost.exe PID 4112 wrote to memory of 2632 4112 winver.exe taskhostw.exe PID 4112 wrote to memory of 3360 4112 winver.exe Explorer.EXE PID 4112 wrote to memory of 3540 4112 winver.exe svchost.exe PID 4112 wrote to memory of 3784 4112 winver.exe DllHost.exe PID 4112 wrote to memory of 3892 4112 winver.exe StartMenuExperienceHost.exe PID 4112 wrote to memory of 4008 4112 winver.exe RuntimeBroker.exe PID 4112 wrote to memory of 3112 4112 winver.exe SearchApp.exe PID 4112 wrote to memory of 4188 4112 winver.exe RuntimeBroker.exe PID 4112 wrote to memory of 4592 4112 winver.exe RuntimeBroker.exe PID 4112 wrote to memory of 3356 4112 winver.exe TextInputHost.exe PID 4112 wrote to memory of 2448 4112 winver.exe msedge.exe PID 4112 wrote to memory of 4388 4112 winver.exe msedge.exe PID 4112 wrote to memory of 2864 4112 winver.exe msedge.exe PID 4112 wrote to memory of 3852 4112 winver.exe msedge.exe PID 4112 wrote to memory of 2940 4112 winver.exe msedge.exe PID 4112 wrote to memory of 1716 4112 winver.exe msedge.exe PID 4112 wrote to memory of 1164 4112 winver.exe msedge.exe PID 4112 wrote to memory of 4680 4112 winver.exe backgroundTaskHost.exe PID 4112 wrote to memory of 2908 4112 winver.exe RuntimeBroker.exe PID 4112 wrote to memory of 1764 4112 winver.exe RuntimeBroker.exe PID 4112 wrote to memory of 380 4112 winver.exe DllHost.exe PID 4112 wrote to memory of 1796 4112 winver.exe WerFault.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 1336 2448 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2420
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2632
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3540
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3784
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3784 -s 9322⤵PID:1796
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3892
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3112
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4188
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4592
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ff97c662e98,0x7ff97c662ea4,0x7ff97c662eb02⤵PID:4388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2280 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:22⤵PID:2864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3224 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:32⤵PID:3852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3328 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:82⤵PID:2940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5260 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:12⤵PID:1716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5468 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:12⤵PID:1164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:82⤵PID:1336
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4680
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2908
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1764
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD579a889dcc335edc81cc9275b36a67710
SHA1ff2c5805f43db131286e78047a2d8922928b1e3c
SHA256dba9730d05187cea5707694d8d344c1043f8d1b168f72bba1f0a26e116de3c22
SHA512f0ba785ab81a43b1994971e1c073f222cc61760943fea7237e614f3e5895a962481b5f88d5897333720b2bca893eec5033428713bd6b7e99cc5948832a2c2f80