Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 17:33

General

  • Target

    be72c0d39f337b92b8b2839dadafeb27_JaffaCakes118.exe

  • Size

    488KB

  • MD5

    be72c0d39f337b92b8b2839dadafeb27

  • SHA1

    f4e665b6ee5d54f1499be230a53169aacaac1969

  • SHA256

    2232141d329267f88679decd77f3992b67862e751aa2deaa6585cf8116eddeda

  • SHA512

    19df1dddc5b0305de37b249443fa43e89ed70bd42b70aa3f27740e7d2591a63bd9425a31a31ce7be836ffaa9f724f6c89cea4bfa5cc16c17a3f8d8cf30baf287

  • SSDEEP

    12288:E2JylsKTUHPMrPEFMFn3jEFMFnPix1c60yaKmXHzSaoHuO:E2JyxgHPMrPEFMFn3jEFMFnzKmDSaoH

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be72c0d39f337b92b8b2839dadafeb27_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\be72c0d39f337b92b8b2839dadafeb27_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4580
    • C:\Users\Admin\AppData\Local\Temp\be72c0d39f337b92b8b2839dadafeb27_JaffaCakes118.sys
      C:\Users\Admin\AppData\Local\Temp\be72c0d39f337b92b8b2839dadafeb27_JaffaCakes118.sys /zhj
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      PID:1452
    • C:\Windows\SOS.exe
      C:\Windows\SOS.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3708
      • C:\Windows\SOS.sys
        C:\Windows\SOS.sys /zhj
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        PID:3260
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2340

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\7z.exe

            Filesize

            1.0MB

            MD5

            7ef657b550fff87b44d760e257f52f99

            SHA1

            a3fe8cc7e2c2e7ad2583bc21e5e146a0b5b02805

            SHA256

            0281f2be872589a8f82787455a30ed0fc2d2ba6bdf6c36f4e09076dfcaacd47e

            SHA512

            d073cd5232abdce06230cfe3822c0a4334a59d8956220bfad3b397c2e1832c6e6a7373f4b39babd90e7fb3eab71e600fea062729c4a876c6f124ec0daa7f6a0f

          • C:\Program Files\7-Zip\7zFM.exe

            Filesize

            1.4MB

            MD5

            37699a910b34695709850895e068b202

            SHA1

            2101bc757b1864d81d5b442ae8faead6cc8fcc40

            SHA256

            cef8ae968839a424a7563ceeaa756b5971d47c134f149c3f0c4d5efa38b50354

            SHA512

            b55d507722b3d91e98e582a8cb18eee3c076b4d70970c2f3d8e3b492e0ccb82e461c913e5f6b8e702bde68f8731ed7f3097d60d73990456ba804f70a7d34a84e

          • C:\Program Files\7-Zip\7zG.exe

            Filesize

            1.1MB

            MD5

            989a0ec6f0b7201da0023c12ed98351a

            SHA1

            df00bda8f4ec56087094eb6d44da5cb3c4a6a1a8

            SHA256

            add5cb8e047a69295866508e7879c6edd58ad80994d78c3d3f5f6d8b9e975a23

            SHA512

            a5af5db8a9c6d6e87fb16298f73c4a50a888260ec611d851d6af16812ddc6372ee942ddc64d91e867d1475536b7fdd9ec640f0dd076641996ce00972bc6f1a30

          • C:\Program Files\7-Zip\Uninstall.exe

            Filesize

            502KB

            MD5

            3d8300ffbbbc8f0c3abc46883fa6ab78

            SHA1

            8566fc7a7d2f99622a8d6247bc384149337faecb

            SHA256

            aa0749b576077d91df001fba54357bbdb936bbff4e08f837c94d2a770eaffc73

            SHA512

            de271841f29e461f220414b30818bc66072a0f86bb13a02bf0e1e78925425e53f2c5412bc2969bd7a198ed62943ec4135c971aa64301fcc47d1629777b0d57dd

          • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

            Filesize

            4.8MB

            MD5

            d62e55505895a35f33556ef239ae09be

            SHA1

            c5432f4d6fd65c0806753bb41d88e05010714462

            SHA256

            c5dc3f957c4cb7d5c2271e9bc445054ce3e7a48557c8061ee2f5e38b06c0f61f

            SHA512

            dadf51663a980c7b98f18581993f8225e51254230e6ff5c7985d07d208b739b5f7755a5be6b8e4b9aaeb2c09e82b23b382ff982b85064eb3346fc465aa0ebf09

          • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

            Filesize

            2.1MB

            MD5

            f619fb90777d52545da76808beef11da

            SHA1

            5955f7050fc5ccf2b1d2dd79ebab26d900133b92

            SHA256

            46cf5a06e5c52dbb6c01699f765f503485844f12f92fc1da00e8a82e44227374

            SHA512

            da5987e69f293179cc240f7e4c5c56ce90a5f3c4c5091760cc3dbf257208abb68fda728846eb8e69bfe5159bcf9f5902588458c9e76327e5df78b2e6f6df77a4

          • C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

            Filesize

            1.7MB

            MD5

            11d4e55617e1cfc7ef3aa95a8653a3eb

            SHA1

            a4e7d07c58a4bff69dd8cefe7ca3090dbc0e0411

            SHA256

            89060ae52eb3e15075534f041525b8a465112c602d3d3c74da3fe682a7ec7d43

            SHA512

            dec41424804373bb47b3ffe42046a530e54f8b7ad05d0ece751ebc094996b80de58ddb52579929ae785d93acfa0862ce9520ebb4bdfd326fdae05227602a70af

          • C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

            Filesize

            1.5MB

            MD5

            089808397d26fd7f1d67fdb9c0a9e416

            SHA1

            c34d524ed897baeb84948ce6ec330edad1cb5402

            SHA256

            a1483d486e2ee76698daa4749c56e1ed92d2cd4dfec0cedfe50a1c975d6ba297

            SHA512

            039c9d9f78d12693ec2a290f19d5fa4ca5e0b067f92e5ee18ba558d1a90d4a666fff3e3f1abf2155424d1761a79d7ed604c02fc501fb15d1e107a0f96f46119d

          • C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

            Filesize

            511KB

            MD5

            8270f87cd16fe955ac4783943c6a9d23

            SHA1

            271b35217260e07b6da7379c72bcb88082b595c2

            SHA256

            5d0fb47a80fe65bd37b51bbb7ade151b871b65c01791681dea05031195f43146

            SHA512

            d6a5af0faac5d927d4e49f899684bf392fb9bcaba61f196d23788688cf7373c318ea42a97141503c78d51eb1ce610bb0089f32a238c4a8d62efae698777a2b30

          • C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

            Filesize

            511KB

            MD5

            8747fc04840ce0119c257deee4012625

            SHA1

            99d59d52e2521e5d7f4b673a1bad985f9cf44c84

            SHA256

            f1c2e70901265aa2450539998404ff559a2d75f655846f360e1cba0b47dc65d0

            SHA512

            963d7ed4d9b1c5195baa2660c98eb56c95baea8727b3d0d0de0f41d2b6555beed43ccfdbef14f657c7dd4d414884b8063aa510559788a45a3d7b5a0b8431b31b

          • C:\Program Files\Java\jdk-1.8\bin\schemagen.exe

            Filesize

            511KB

            MD5

            49f4f1cbca24e52cdc4ec723855e3056

            SHA1

            6bb30106fbfc9a63cff8610a1f891d0c3c1fb8c2

            SHA256

            914edb58089f7e7925ff68f1e044144f36b4357f8e9b801ade9ba8e87cf7ffd3

            SHA512

            124a39b178b04eebaa8f4038b3f9456b40530766ad568abaf14e5bdaed9df4bc783bc1e7ad8de5df1a3418b039fa93a99eee187e914219bf2432f270399854ed

          • C:\Program Files\Java\jdk-1.8\bin\serialver.exe

            Filesize

            511KB

            MD5

            260db4c728aa2c399eaa6db613fcd29c

            SHA1

            70891e6eaeb7811f0ab8d03cb834ad29e6b741ab

            SHA256

            dc7005d476638b05a4fbd8e3979d005414378031c0264da760ebe6aea191e5ad

            SHA512

            880e70a1e458e476a1328e97e91813609c6b447bc39ed937b2d8482589ece672964133f12ae70449078a7dc5da7ab2f628b09f5f98fd33c8f949a40594790fed

          • C:\Program Files\Java\jdk-1.8\bin\wsimport.exe

            Filesize

            511KB

            MD5

            07af30f4c733549e5631433490015968

            SHA1

            5c4b83f2289c5d49335748a90ce6bcd4e2e63e38

            SHA256

            1845f5fbf497db61237e426d44168df29a4c9d11ed26371db9755988cdfc312f

            SHA512

            eaf8dd5c5b9f0a76fd35ac4dee143c3c34e734ea6b35eb93f350eba16b96bca98aea1418e38ecf7038c6b8c1cefb38362f6d870ef053f3d0ab1e59f26464292e

          • C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe

            Filesize

            511KB

            MD5

            9a840a6c5abb6a9018ae0567eb0399ce

            SHA1

            49069a58306a1e9edad7cf75f9cd1a30aa05bb1d

            SHA256

            142dfe004b9a58f1adce8fafd5d6069bf4d303e4864607a9bb0787599a36784f

            SHA512

            04fec6d91a74e11cd6b6a678658fb6b478de15f5cf19143decff5212be1a97ba1042cb8cca983651810c10ab8605d78dec425087cb0120d9f80775a0364c5a5d

          • C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe

            Filesize

            511KB

            MD5

            d36054f1d47850105c899d4a5d2e7817

            SHA1

            33b52eac323935a22b3999b4e1fe084acc0c4520

            SHA256

            4cb664599fb404d97d4b9b35b3df82fabe724ad91eaa097f7a0544702eb4ca5f

            SHA512

            28cc1d4bc110de208f68d9829d80c3adebdf4389927c8473b519e4b9b8662b57554f33101000909978d4cd082a6dc5a71f7c1af12b882d617aee507baf44fb4e

          • C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe

            Filesize

            511KB

            MD5

            d2fef46a639254dbf6859ce47f9dd668

            SHA1

            f00eb967aef50bc46058ac42e7aee84cbe721921

            SHA256

            a6cbe4d414bfc3cdfcbf01ccd433ede39e3b3941c203d505d76b5159c02f1818

            SHA512

            9b6163568036abb26823a5aac8dc1cf14257e4a09d045562816b4ae2d7c74601378f9c83557bb844e6b28308312ba42ff0f710ab52feb27c9c506e4c1792b4d2

          • C:\Users\Admin\AppData\Local\Temp\be72c0d39f337b92b8b2839dadafeb27_JaffaCakes118.sys

            Filesize

            976KB

            MD5

            4f63656cdc0e15b0ed3dae637d72d229

            SHA1

            3fd1654df2b3215d199404eb9f195180ef2f93f0

            SHA256

            9b8619fbbf4384c6cec2ee8a8731797e43e6b6c61ce21414856ec01233157ea1

            SHA512

            6fbd85d13b19e3d92d49416f0f972dd87eb5d90f39377e61da601d5b05e275399efe29b1c0c08e7cb72d3447ae1be0f48cb454aa9be634330bb3ffb5c7f185f0

          • C:\Windows\SOS.exe

            Filesize

            488KB

            MD5

            be72c0d39f337b92b8b2839dadafeb27

            SHA1

            f4e665b6ee5d54f1499be230a53169aacaac1969

            SHA256

            2232141d329267f88679decd77f3992b67862e751aa2deaa6585cf8116eddeda

            SHA512

            19df1dddc5b0305de37b249443fa43e89ed70bd42b70aa3f27740e7d2591a63bd9425a31a31ce7be836ffaa9f724f6c89cea4bfa5cc16c17a3f8d8cf30baf287

          • memory/1452-139-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

          • memory/3260-141-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

          • memory/3708-149-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

          • memory/3708-167-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

          • memory/3708-143-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

          • memory/3708-146-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

          • memory/3708-179-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

          • memory/3708-152-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

          • memory/3708-155-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

          • memory/3708-158-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

          • memory/3708-161-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

          • memory/3708-164-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

          • memory/3708-140-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

          • memory/3708-170-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

          • memory/3708-173-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

          • memory/3708-176-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB

          • memory/4580-34-0x0000000000400000-0x0000000000439000-memory.dmp

            Filesize

            228KB