Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 17:38

General

  • Target

    be879277e08563a258358f6762643974_JaffaCakes118.exe

  • Size

    266KB

  • MD5

    be879277e08563a258358f6762643974

  • SHA1

    7f6e575d48b775703a329f93ce72c2e8ddf6ff3d

  • SHA256

    43aadb765b7818787237db22ee95f1127b98f6b78cdb0525cb72f7ed434030dc

  • SHA512

    eb864314b7fecaa1c6c7fd28331843e1825427450afc13c1b3884922d391a53a35d2f84d1b702958a61c580661e331aa24c51da1d186fa5446b2a858bbd8021a

  • SSDEEP

    6144:Bm6UslkILPlAvU/xEjJ9bxwywFCbRvfrqZvqUGwZDYCf2:BmDslhGuVBr4

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\be879277e08563a258358f6762643974_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2912
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 660
      2⤵
      • Program crash
      PID:2140
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2912 -ip 2912
    1⤵
      PID:3344
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3864 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:8
      1⤵
      • Executes dropped EXE
      PID:3788
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
      1⤵
        PID:4396
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k UnistackSvcGroup
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3972

      Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

              Filesize

              293KB

              MD5

              28eec21fdecd132be3395f188499195a

              SHA1

              06b7cafa58d2afa0be619c2170f81151c2d066e2

              SHA256

              26add03ea318e94a247079daf523fccaa6c309b535fcb0f049929f6ff2161ca7

              SHA512

              0b2bfbfb20e6effd6341be3612c587ec656a5386f85681706293e6c409cd854e59e03f40dcc788dc467c6bbeb087279d0bcbb9fca2bfdd0c8742167ca872f04a

            • memory/2912-0-0x0000000010000000-0x0000000010010000-memory.dmp

              Filesize

              64KB

            • memory/3972-8-0x0000019C5F5A0000-0x0000019C5F5B0000-memory.dmp

              Filesize

              64KB

            • memory/3972-24-0x0000019C5F6A0000-0x0000019C5F6B0000-memory.dmp

              Filesize

              64KB

            • memory/3972-40-0x0000019C67A10000-0x0000019C67A11000-memory.dmp

              Filesize

              4KB

            • memory/3972-42-0x0000019C67A40000-0x0000019C67A41000-memory.dmp

              Filesize

              4KB

            • memory/3972-43-0x0000019C67A40000-0x0000019C67A41000-memory.dmp

              Filesize

              4KB

            • memory/3972-44-0x0000019C67B50000-0x0000019C67B51000-memory.dmp

              Filesize

              4KB