Analysis
-
max time kernel
148s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 22:54
Behavioral task
behavioral1
Sample
c3f463fda49e53ded3a52026df1e0690_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c3f463fda49e53ded3a52026df1e0690_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
c3f463fda49e53ded3a52026df1e0690_JaffaCakes118.exe
-
Size
34KB
-
MD5
c3f463fda49e53ded3a52026df1e0690
-
SHA1
dc3517829275f6fb677b7ca67e6c47a5b3b740f5
-
SHA256
0b45c1fa41e5d3679a5176b8a8cc99a960f702d3118510c5ebe01010cf642c08
-
SHA512
8d1f3e078aedc7ed1c46b88a16cd7190e587796a1cd2c974ff4e85d4b42a9d94ed4d6a7c07c8f035ff46e6ea53037dd02714f5bdc2031a6d3393407a580a6768
-
SSDEEP
768:yp22qWFcy5XQ7lO41uirwA98p3MpkNBxd0cJWV6dy/x9J2:ypYoX58z1uirL98xMWnT0OQ9J2
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/560-0-0x0000000000400000-0x0000000000417000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\225C5E07 = "C:\\Users\\Admin\\AppData\\Roaming\\225C5E07\\bin.exe" winver.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1568 844 WerFault.exe winver.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
winver.exepid process 844 winver.exe 844 winver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
winver.exeExplorer.EXEpid process 844 winver.exe 3452 Explorer.EXE 3452 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3452 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c3f463fda49e53ded3a52026df1e0690_JaffaCakes118.exewinver.exedescription pid process target process PID 560 wrote to memory of 844 560 c3f463fda49e53ded3a52026df1e0690_JaffaCakes118.exe winver.exe PID 560 wrote to memory of 844 560 c3f463fda49e53ded3a52026df1e0690_JaffaCakes118.exe winver.exe PID 560 wrote to memory of 844 560 c3f463fda49e53ded3a52026df1e0690_JaffaCakes118.exe winver.exe PID 560 wrote to memory of 844 560 c3f463fda49e53ded3a52026df1e0690_JaffaCakes118.exe winver.exe PID 844 wrote to memory of 3452 844 winver.exe Explorer.EXE PID 844 wrote to memory of 60 844 winver.exe sihost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:60
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\c3f463fda49e53ded3a52026df1e0690_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c3f463fda49e53ded3a52026df1e0690_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 3524⤵
- Program crash
PID:1568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 844 -ip 8441⤵PID:2336