Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe
-
Size
244KB
-
MD5
b9b275c08efd0e570023ea72b87d11ca
-
SHA1
973e50e7a08a9a043c954d01b36e81d4b9e8971b
-
SHA256
a99d97ddfd8fe18d735e8f849a532558f3b6f71b105770d391957c160708bcbc
-
SHA512
660f8ad67dec852a057ab59c1dc5db45645637843800365f4566d6bce579e2491720f2e13832fa589f34ab65a24b77ffa82aa837606891419626ace32e32fbe8
-
SSDEEP
6144:ZqobsBIUj9y0NPe9DMm0biMLEJOY0+sSNmHP:ZlYBIUj9yZ9DMfiva+sx
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1480 Gamedctr.exe 3392 prevmote.exe 1028 ~6A81.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fixmburn = "C:\\Users\\Admin\\AppData\\Roaming\\MRINubst\\Gamedctr.exe" b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\prevmote.exe b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1420 4412 WerFault.exe 84 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1480 Gamedctr.exe 1480 Gamedctr.exe 3488 Explorer.EXE 3488 Explorer.EXE 3392 prevmote.exe 3392 prevmote.exe 3488 Explorer.EXE 3392 prevmote.exe 3392 prevmote.exe 3488 Explorer.EXE 3488 Explorer.EXE 3392 prevmote.exe 3392 prevmote.exe 3488 Explorer.EXE 3488 Explorer.EXE 3392 prevmote.exe 3392 prevmote.exe 3488 Explorer.EXE 3488 Explorer.EXE 3392 prevmote.exe 3392 prevmote.exe 3488 Explorer.EXE 3488 Explorer.EXE 3392 prevmote.exe 3392 prevmote.exe 3488 Explorer.EXE 3488 Explorer.EXE 3392 prevmote.exe 3392 prevmote.exe 3488 Explorer.EXE 3488 Explorer.EXE 3392 prevmote.exe 3488 Explorer.EXE 3392 prevmote.exe 3488 Explorer.EXE 3392 prevmote.exe 3392 prevmote.exe 3488 Explorer.EXE 3488 Explorer.EXE 3392 prevmote.exe 3392 prevmote.exe 3488 Explorer.EXE 3488 Explorer.EXE 3392 prevmote.exe 3392 prevmote.exe 3488 Explorer.EXE 3488 Explorer.EXE 3488 Explorer.EXE 3392 prevmote.exe 3392 prevmote.exe 3488 Explorer.EXE 3488 Explorer.EXE 3392 prevmote.exe 3392 prevmote.exe 3488 Explorer.EXE 3392 prevmote.exe 3392 prevmote.exe 3488 Explorer.EXE 3488 Explorer.EXE 3392 prevmote.exe 3392 prevmote.exe 3488 Explorer.EXE 3488 Explorer.EXE 3392 prevmote.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 1480 Gamedctr.exe Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3488 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4412 wrote to memory of 1480 4412 b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe 89 PID 4412 wrote to memory of 1480 4412 b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe 89 PID 4412 wrote to memory of 1480 4412 b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe 89 PID 1480 wrote to memory of 1028 1480 Gamedctr.exe 91 PID 1480 wrote to memory of 1028 1480 Gamedctr.exe 91 PID 1028 wrote to memory of 3488 1028 ~6A81.tmp 57
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Users\Admin\AppData\Roaming\MRINubst\Gamedctr.exe"C:\Users\Admin\AppData\Roaming\MRINubst"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\~6A81.tmp3488 250376 1480 14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 6243⤵
- Program crash
PID:1420
-
-
-
C:\Windows\SysWOW64\prevmote.exeC:\Windows\SysWOW64\prevmote.exe -s1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4412 -ip 44121⤵PID:3708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5aac3165ece2959f39ff98334618d10d9
SHA1020a191bfdc70c1fbd3bf74cd7479258bd197f51
SHA25696fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
SHA5129eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf
-
Filesize
244KB
MD5b4415dfb23ca836e2d9644a08cea259e
SHA1f0d85f83dc734667bdc40979f04084c6f60cc5d8
SHA256fce8614e61613b6042d72af9540a52ad6e9ee35caa997f046fd46a997960e720
SHA51220b575063a33c854a7e4c59c6b9d3e5b7c1f2fadffbb596af513bb0a34d3e28d44b21c0bbfd80d2252ce696bc2c7778fae53300b6cca4424d8cf195cac194a12