Analysis

  • max time kernel
    155s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 17:53

General

  • Target

    bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe

  • Size

    173KB

  • MD5

    bedc21cc9bb6cc278ba47dee9f32dc27

  • SHA1

    7c8d177753fcf3f1afb578895e8e852a6bd75c55

  • SHA256

    4fbb6d84a1a7054724b491fe928c655b3bb7bb45c971f8126e6f39e0fc70ebfa

  • SHA512

    46ad6477c4addaa0a464e02eefbd68e1c76a6d9794bbe820d36de67254b3198dba361769f67ef2ecc2958d160a2bfd8400095bf2c13b352a64c61b864e721216

  • SSDEEP

    3072:fBI5ArKGCnhgU1XA+ArXjeaMoh6lgUaVwQ+/76bSSN+PS7VyoCeJ6ikXO:fK5ArKjbAxXSaegUqGeGpBohMX

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:3428
    • C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5004
      • C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe
        "C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4692
        • C:\Users\Admin\AppData\Local\Temp\~36BB.tmp
          "C:\Users\Admin\AppData\Local\Temp\~36BB.tmp"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:664
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 684
        3⤵
        • Program crash
        PID:2272
  • C:\Windows\SysWOW64\dpapance.exe
    C:\Windows\SysWOW64\dpapance.exe -k
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:1392
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5004 -ip 5004
    1⤵
      PID:4628
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4676

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\~36BB.tmp

              Filesize

              6KB

              MD5

              05259b1cd4005deca335367b98ca7b98

              SHA1

              b72274d8ff8a79d474a24a7210820bdada57ffda

              SHA256

              0aebee970b0e915bf0cfe5ee84bdc0421957e797c15e2b5f4ec22b95be5df110

              SHA512

              eec6a04b937ac9398b7dd91f0b4774172172c7dd0752f502b4866c0a3ba08256909cd8134a3162e9ae93aa9bb63d99631b1d68077dc7cf07565d32cc30c6b45b

            • C:\Users\Admin\AppData\Roaming\icsuhone\PickdVol.exe

              Filesize

              173KB

              MD5

              ea31c5b4d65b294112d426d4cb069eff

              SHA1

              18d553cb4ec616d6b1aeb004c92fa2c4a988ffa7

              SHA256

              9feb8247ab869d58bb6af8cca66287a383875e8666393769f19ccb41abaa0cea

              SHA512

              b78c4bdf211c3d3e36f8b765ec776a6a3e26a6f0d366fd5fa560720c3140e1498bc73d8791550a5cb4751ad86f34919a6b44a9daa0f1db7d001a44f2c1b65082

            • C:\Windows\SysWOW64\dpapance.exe

              Filesize

              173KB

              MD5

              bedc21cc9bb6cc278ba47dee9f32dc27

              SHA1

              7c8d177753fcf3f1afb578895e8e852a6bd75c55

              SHA256

              4fbb6d84a1a7054724b491fe928c655b3bb7bb45c971f8126e6f39e0fc70ebfa

              SHA512

              46ad6477c4addaa0a464e02eefbd68e1c76a6d9794bbe820d36de67254b3198dba361769f67ef2ecc2958d160a2bfd8400095bf2c13b352a64c61b864e721216

            • memory/1392-14-0x0000000000B50000-0x0000000000B8E000-memory.dmp

              Filesize

              248KB

            • memory/1392-16-0x0000000000B50000-0x0000000000B8E000-memory.dmp

              Filesize

              248KB

            • memory/1392-19-0x0000000000B50000-0x0000000000B8E000-memory.dmp

              Filesize

              248KB

            • memory/3428-12-0x00000000083F0000-0x0000000008431000-memory.dmp

              Filesize

              260KB

            • memory/3428-15-0x00000000083F0000-0x0000000008431000-memory.dmp

              Filesize

              260KB

            • memory/4692-6-0x0000000000150000-0x000000000018E000-memory.dmp

              Filesize

              248KB

            • memory/5004-0-0x0000000000DB0000-0x0000000000DEE000-memory.dmp

              Filesize

              248KB

            • memory/5004-23-0x0000000000DB0000-0x0000000000DEE000-memory.dmp

              Filesize

              248KB