Analysis
-
max time kernel
134s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 00:40
Static task
static1
Behavioral task
behavioral1
Sample
c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe
-
Size
88KB
-
MD5
c627515de0166a6526f4ad9f5a7be0da
-
SHA1
1960b94da73b75bc5e8ad2860f454af17a846983
-
SHA256
1302f1aff384aa2a421895552a96cb4eaa93b67c4746190cb93b2d0910ebacc6
-
SHA512
4d5e7e0325ea905f6d48b4d56a202b9b752a705bb8fe57ed20902e6a39b36cb058b07b583a5c7362ac274049c4d7df4c722ea197fca4eae329699d0ae5c75e9e
-
SSDEEP
1536:W5nfmIpxDWbUfd3aOPmxxEhvgCooXqRQqjh+rmKVsN:W5fvp12UFKcD/6jwqWsN
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9911401A = "C:\\Users\\Admin\\AppData\\Roaming\\9911401A\\bin.exe" winver.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2196 4452 WerFault.exe winver.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
winver.exepid process 4452 winver.exe 4452 winver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 4452 winver.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3452 Explorer.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exewinver.exedescription pid process target process PID 1636 wrote to memory of 4452 1636 c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe winver.exe PID 1636 wrote to memory of 4452 1636 c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe winver.exe PID 1636 wrote to memory of 4452 1636 c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe winver.exe PID 1636 wrote to memory of 4452 1636 c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe winver.exe PID 4452 wrote to memory of 3452 4452 winver.exe Explorer.EXE PID 4452 wrote to memory of 3020 4452 winver.exe sihost.exe PID 4452 wrote to memory of 3052 4452 winver.exe svchost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3020
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3052
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 3564⤵
- Program crash
PID:2196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4452 -ip 44521⤵PID:2496