Analysis
-
max time kernel
155s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 17:53
Static task
static1
Behavioral task
behavioral1
Sample
bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe
-
Size
173KB
-
MD5
bedc21cc9bb6cc278ba47dee9f32dc27
-
SHA1
7c8d177753fcf3f1afb578895e8e852a6bd75c55
-
SHA256
4fbb6d84a1a7054724b491fe928c655b3bb7bb45c971f8126e6f39e0fc70ebfa
-
SHA512
46ad6477c4addaa0a464e02eefbd68e1c76a6d9794bbe820d36de67254b3198dba361769f67ef2ecc2958d160a2bfd8400095bf2c13b352a64c61b864e721216
-
SSDEEP
3072:fBI5ArKGCnhgU1XA+ArXjeaMoh6lgUaVwQ+/76bSSN+PS7VyoCeJ6ikXO:fK5ArKjbAxXSaegUqGeGpBohMX
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4692 PickdVol.exe 664 ~36BB.tmp 1392 dpapance.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecEmote = "C:\\Users\\Admin\\AppData\\Roaming\\icsuhone\\PickdVol.exe" bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\dpapance.exe bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2272 5004 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4692 PickdVol.exe 4692 PickdVol.exe 1392 dpapance.exe 1392 dpapance.exe 3428 Explorer.EXE 3428 Explorer.EXE 1392 dpapance.exe 1392 dpapance.exe 3428 Explorer.EXE 3428 Explorer.EXE 1392 dpapance.exe 1392 dpapance.exe 3428 Explorer.EXE 3428 Explorer.EXE 1392 dpapance.exe 1392 dpapance.exe 3428 Explorer.EXE 3428 Explorer.EXE 1392 dpapance.exe 1392 dpapance.exe 3428 Explorer.EXE 3428 Explorer.EXE 1392 dpapance.exe 1392 dpapance.exe 3428 Explorer.EXE 3428 Explorer.EXE 1392 dpapance.exe 1392 dpapance.exe 3428 Explorer.EXE 3428 Explorer.EXE 1392 dpapance.exe 1392 dpapance.exe 3428 Explorer.EXE 3428 Explorer.EXE 1392 dpapance.exe 1392 dpapance.exe 3428 Explorer.EXE 3428 Explorer.EXE 3428 Explorer.EXE 1392 dpapance.exe 1392 dpapance.exe 3428 Explorer.EXE 3428 Explorer.EXE 1392 dpapance.exe 3428 Explorer.EXE 1392 dpapance.exe 3428 Explorer.EXE 1392 dpapance.exe 3428 Explorer.EXE 1392 dpapance.exe 3428 Explorer.EXE 1392 dpapance.exe 3428 Explorer.EXE 1392 dpapance.exe 3428 Explorer.EXE 1392 dpapance.exe 3428 Explorer.EXE 1392 dpapance.exe 3428 Explorer.EXE 1392 dpapance.exe 3428 Explorer.EXE 1392 dpapance.exe 3428 Explorer.EXE 1392 dpapance.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3428 Explorer.EXE Token: SeCreatePagefilePrivilege 3428 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3428 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5004 wrote to memory of 4692 5004 bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe 95 PID 5004 wrote to memory of 4692 5004 bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe 95 PID 5004 wrote to memory of 4692 5004 bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe 95 PID 4692 wrote to memory of 664 4692 PickdVol.exe 97 PID 4692 wrote to memory of 664 4692 PickdVol.exe 97 PID 664 wrote to memory of 3428 664 ~36BB.tmp 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe"C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\~36BB.tmp"C:\Users\Admin\AppData\Local\Temp\~36BB.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 6843⤵
- Program crash
PID:2272
-
-
-
C:\Windows\SysWOW64\dpapance.exeC:\Windows\SysWOW64\dpapance.exe -k1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5004 -ip 50041⤵PID:4628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:4676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD505259b1cd4005deca335367b98ca7b98
SHA1b72274d8ff8a79d474a24a7210820bdada57ffda
SHA2560aebee970b0e915bf0cfe5ee84bdc0421957e797c15e2b5f4ec22b95be5df110
SHA512eec6a04b937ac9398b7dd91f0b4774172172c7dd0752f502b4866c0a3ba08256909cd8134a3162e9ae93aa9bb63d99631b1d68077dc7cf07565d32cc30c6b45b
-
Filesize
173KB
MD5ea31c5b4d65b294112d426d4cb069eff
SHA118d553cb4ec616d6b1aeb004c92fa2c4a988ffa7
SHA2569feb8247ab869d58bb6af8cca66287a383875e8666393769f19ccb41abaa0cea
SHA512b78c4bdf211c3d3e36f8b765ec776a6a3e26a6f0d366fd5fa560720c3140e1498bc73d8791550a5cb4751ad86f34919a6b44a9daa0f1db7d001a44f2c1b65082
-
Filesize
173KB
MD5bedc21cc9bb6cc278ba47dee9f32dc27
SHA17c8d177753fcf3f1afb578895e8e852a6bd75c55
SHA2564fbb6d84a1a7054724b491fe928c655b3bb7bb45c971f8126e6f39e0fc70ebfa
SHA51246ad6477c4addaa0a464e02eefbd68e1c76a6d9794bbe820d36de67254b3198dba361769f67ef2ecc2958d160a2bfd8400095bf2c13b352a64c61b864e721216