Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 02:09
Static task
static1
Behavioral task
behavioral1
Sample
c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe
-
Size
49KB
-
MD5
c7f2d7e57ce04fbfe7444f2368dbd0d7
-
SHA1
b4a8f66afac14a098efd4196ef8beadc0c5d0c59
-
SHA256
d083d5c306cf73a20f5b759aeb8d44cbf72a65077b50a5efe4c8781cc997c9ce
-
SHA512
6bc45699e2a43db4ee5a0b74f9c51f6aefbe5352a52f658da9a8cc088e1930b28641ef151228d3922b3a370beeb2b0fa992950938abede91182f943dc9e241d6
-
SSDEEP
768:GCCCFlkbwAYbFshpyiB9L9Mx2BWseUCHGAwk5R9Jw:mbw/6plBTFBYNNR9Jw
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\91F588E9 = "C:\\Users\\Admin\\AppData\\Roaming\\91F588E9\\bin.exe" winver.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4168 3628 WerFault.exe winver.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
winver.exepid process 3628 winver.exe 3628 winver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3416 Explorer.EXE Token: SeCreatePagefilePrivilege 3416 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 3628 winver.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3416 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exewinver.exedescription pid process target process PID 4708 wrote to memory of 3628 4708 c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe winver.exe PID 4708 wrote to memory of 3628 4708 c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe winver.exe PID 4708 wrote to memory of 3628 4708 c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe winver.exe PID 4708 wrote to memory of 3628 4708 c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe winver.exe PID 3628 wrote to memory of 3416 3628 winver.exe Explorer.EXE PID 3628 wrote to memory of 756 3628 winver.exe sihost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:756
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 3524⤵
- Program crash
PID:4168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3628 -ip 36281⤵PID:772