Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 04:42
Behavioral task
behavioral1
Sample
cb268935f7d7fc36cde396b9957a65f7_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cb268935f7d7fc36cde396b9957a65f7_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
cb268935f7d7fc36cde396b9957a65f7_JaffaCakes118.exe
-
Size
160KB
-
MD5
cb268935f7d7fc36cde396b9957a65f7
-
SHA1
9776927de3d1b442f3662705d3b799a29ce30f52
-
SHA256
0c6e930eee944ce44d1c06c178c33bb8140af0d392b634101d9b98bc38222592
-
SHA512
f794d4d3abdf0eb28a57cbd6f49e0e0d5a9472831df6c3472823e7ae82b3c08ea7f710cb5170621ef6d3106dc577eda35a9fcd412b593d79d3614867fe3a02c5
-
SSDEEP
1536:qEY+mFM2HXKZgi0Iksu+XM5/HtAQ9J6xph:hY+4MiIkLZJNAQ9J6v
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1640-0-0x0000000000400000-0x0000000000428000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C1D3BA67 = "C:\\Users\\Admin\\AppData\\Roaming\\C1D3BA67\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe 4912 winver.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
Explorer.EXERuntimeBroker.exedescription pid process Token: SeShutdownPrivilege 3360 Explorer.EXE Token: SeCreatePagefilePrivilege 3360 Explorer.EXE Token: SeShutdownPrivilege 3360 Explorer.EXE Token: SeCreatePagefilePrivilege 3360 Explorer.EXE Token: SeShutdownPrivilege 3360 Explorer.EXE Token: SeCreatePagefilePrivilege 3360 Explorer.EXE Token: SeShutdownPrivilege 3360 Explorer.EXE Token: SeCreatePagefilePrivilege 3360 Explorer.EXE Token: SeShutdownPrivilege 3360 Explorer.EXE Token: SeCreatePagefilePrivilege 3360 Explorer.EXE Token: SeShutdownPrivilege 4008 RuntimeBroker.exe Token: SeShutdownPrivilege 4008 RuntimeBroker.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
winver.exeExplorer.EXEpid process 4912 winver.exe 3360 Explorer.EXE 3360 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3360 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cb268935f7d7fc36cde396b9957a65f7_JaffaCakes118.exewinver.exemsedge.exedescription pid process target process PID 1640 wrote to memory of 4912 1640 cb268935f7d7fc36cde396b9957a65f7_JaffaCakes118.exe winver.exe PID 1640 wrote to memory of 4912 1640 cb268935f7d7fc36cde396b9957a65f7_JaffaCakes118.exe winver.exe PID 1640 wrote to memory of 4912 1640 cb268935f7d7fc36cde396b9957a65f7_JaffaCakes118.exe winver.exe PID 1640 wrote to memory of 4912 1640 cb268935f7d7fc36cde396b9957a65f7_JaffaCakes118.exe winver.exe PID 4912 wrote to memory of 3360 4912 winver.exe Explorer.EXE PID 4912 wrote to memory of 2400 4912 winver.exe sihost.exe PID 4912 wrote to memory of 2420 4912 winver.exe svchost.exe PID 4912 wrote to memory of 2632 4912 winver.exe taskhostw.exe PID 4912 wrote to memory of 3360 4912 winver.exe Explorer.EXE PID 4912 wrote to memory of 3540 4912 winver.exe svchost.exe PID 4912 wrote to memory of 3784 4912 winver.exe DllHost.exe PID 4912 wrote to memory of 3892 4912 winver.exe StartMenuExperienceHost.exe PID 4912 wrote to memory of 4008 4912 winver.exe RuntimeBroker.exe PID 4912 wrote to memory of 3112 4912 winver.exe SearchApp.exe PID 4912 wrote to memory of 4188 4912 winver.exe RuntimeBroker.exe PID 4912 wrote to memory of 4592 4912 winver.exe RuntimeBroker.exe PID 4912 wrote to memory of 3356 4912 winver.exe TextInputHost.exe PID 4912 wrote to memory of 2448 4912 winver.exe msedge.exe PID 4912 wrote to memory of 4388 4912 winver.exe msedge.exe PID 4912 wrote to memory of 2864 4912 winver.exe msedge.exe PID 4912 wrote to memory of 3852 4912 winver.exe msedge.exe PID 4912 wrote to memory of 2940 4912 winver.exe msedge.exe PID 4912 wrote to memory of 1716 4912 winver.exe msedge.exe PID 4912 wrote to memory of 1164 4912 winver.exe msedge.exe PID 4912 wrote to memory of 408 4912 winver.exe RuntimeBroker.exe PID 4912 wrote to memory of 3904 4912 winver.exe RuntimeBroker.exe PID 4912 wrote to memory of 5056 4912 winver.exe DllHost.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe PID 2448 wrote to memory of 4476 2448 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2420
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2632
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\cb268935f7d7fc36cde396b9957a65f7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cb268935f7d7fc36cde396b9957a65f7_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3540
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3784
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3892
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3112
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4188
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4592
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ff97c662e98,0x7ff97c662ea4,0x7ff97c662eb02⤵PID:4388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2280 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:22⤵PID:2864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3224 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:32⤵PID:3852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3328 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:82⤵PID:2940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5260 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:12⤵PID:1716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5468 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:12⤵PID:1164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4012 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:82⤵PID:4476
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:408
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3904
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:5056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5ced3f2f686423ffda9f7108bd1c7348f
SHA1f13c91122274ab939ef7b02b4874fc8b43a33151
SHA256f54559f0358e2042a3d32796da627b820ff60edf84c43f6dd7d9d6fc123541f3
SHA512e0637e88511402f77e2cd865ef024cbb020519e218fc518ab88f7a4dda8cce0fde7b3db3ebb5eccbc36f0b874ec590535ac9eadacf6e17e4ec807d5483b3066d