Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 17:38
Static task
static1
Behavioral task
behavioral1
Sample
be879277e08563a258358f6762643974_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
be879277e08563a258358f6762643974_JaffaCakes118.exe
Resource
win10v2004-20240319-en
General
-
Target
be879277e08563a258358f6762643974_JaffaCakes118.exe
-
Size
266KB
-
MD5
be879277e08563a258358f6762643974
-
SHA1
7f6e575d48b775703a329f93ce72c2e8ddf6ff3d
-
SHA256
43aadb765b7818787237db22ee95f1127b98f6b78cdb0525cb72f7ed434030dc
-
SHA512
eb864314b7fecaa1c6c7fd28331843e1825427450afc13c1b3884922d391a53a35d2f84d1b702958a61c580661e331aa24c51da1d186fa5446b2a858bbd8021a
-
SSDEEP
6144:Bm6UslkILPlAvU/xEjJ9bxwywFCbRvfrqZvqUGwZDYCf2:BmDslhGuVBr4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3788 msedge.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created \??\c:\program files (x86)\microsoft\edge\application\msedge.exe be879277e08563a258358f6762643974_JaffaCakes118.exe File created \??\c:\program files (x86)\adobe\acrotray .exe be879277e08563a258358f6762643974_JaffaCakes118.exe File created \??\c:\program files (x86)\adobe\acrotray.exe be879277e08563a258358f6762643974_JaffaCakes118.exe File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe be879277e08563a258358f6762643974_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2140 2912 WerFault.exe 93 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2912 be879277e08563a258358f6762643974_JaffaCakes118.exe 2912 be879277e08563a258358f6762643974_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2912 be879277e08563a258358f6762643974_JaffaCakes118.exe Token: SeManageVolumePrivilege 3972 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 6602⤵
- Program crash
PID:2140
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2912 -ip 29121⤵PID:3344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3864 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:81⤵
- Executes dropped EXE
PID:3788
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:4396
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3972
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
293KB
MD528eec21fdecd132be3395f188499195a
SHA106b7cafa58d2afa0be619c2170f81151c2d066e2
SHA25626add03ea318e94a247079daf523fccaa6c309b535fcb0f049929f6ff2161ca7
SHA5120b2bfbfb20e6effd6341be3612c587ec656a5386f85681706293e6c409cd854e59e03f40dcc788dc467c6bbeb087279d0bcbb9fca2bfdd0c8742167ca872f04a