Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04-04-2024 23:33
Behavioral task
behavioral1
Sample
c4bdc1d2264ca610f5759f279f1dd1dc_JaffaCakes118.exe
Resource
win7-20231129-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c4bdc1d2264ca610f5759f279f1dd1dc_JaffaCakes118.exe
Resource
win10v2004-20240226-en
9 signatures
150 seconds
General
-
Target
c4bdc1d2264ca610f5759f279f1dd1dc_JaffaCakes118.exe
-
Size
34KB
-
MD5
c4bdc1d2264ca610f5759f279f1dd1dc
-
SHA1
61a0df77c61cb7564cf4927b17bf2f8bf60cb33b
-
SHA256
4bd4035fc62d7d71b6020c745d5001d1a9972dcc87e49f7d1dbc6199f41ca788
-
SHA512
783305b40d12d188f3dfe11c0802691160ba703e7158ba069bda1f4484b3854b1ba7f095cfebe4f4e18750a87e1887f7f23c0bec82172fd5a479dfcbe8b6b58c
-
SSDEEP
768:Jp22qWFcy5XQ7lO41uirwA98p3MpkNBxd0cJWV6dy/x9J2:JpYoX58z1uirL98xMWnT0OQ9J2
Score
10/10
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2848-0-0x0000000000400000-0x0000000000417000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\227D6992 = "C:\\Users\\Admin\\AppData\\Roaming\\227D6992\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe 2412 winver.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
winver.exeExplorer.EXEpid process 2412 winver.exe 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c4bdc1d2264ca610f5759f279f1dd1dc_JaffaCakes118.exewinver.exedescription pid process target process PID 2848 wrote to memory of 2412 2848 c4bdc1d2264ca610f5759f279f1dd1dc_JaffaCakes118.exe winver.exe PID 2848 wrote to memory of 2412 2848 c4bdc1d2264ca610f5759f279f1dd1dc_JaffaCakes118.exe winver.exe PID 2848 wrote to memory of 2412 2848 c4bdc1d2264ca610f5759f279f1dd1dc_JaffaCakes118.exe winver.exe PID 2848 wrote to memory of 2412 2848 c4bdc1d2264ca610f5759f279f1dd1dc_JaffaCakes118.exe winver.exe PID 2848 wrote to memory of 2412 2848 c4bdc1d2264ca610f5759f279f1dd1dc_JaffaCakes118.exe winver.exe PID 2412 wrote to memory of 1380 2412 winver.exe Explorer.EXE PID 2412 wrote to memory of 1248 2412 winver.exe taskhost.exe PID 2412 wrote to memory of 1332 2412 winver.exe Dwm.exe PID 2412 wrote to memory of 1380 2412 winver.exe Explorer.EXE
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1248
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1332
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\c4bdc1d2264ca610f5759f279f1dd1dc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c4bdc1d2264ca610f5759f279f1dd1dc_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2412