Analysis
-
max time kernel
127s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2024 23:20
Behavioral task
behavioral1
Sample
e38762223f23dd3373ba4bff00f94c7a_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e38762223f23dd3373ba4bff00f94c7a_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e38762223f23dd3373ba4bff00f94c7a_JaffaCakes118.exe
-
Size
515KB
-
MD5
e38762223f23dd3373ba4bff00f94c7a
-
SHA1
4689e1ce8b0377527b174c9b0e6f6b2d3f3771ab
-
SHA256
4a6f525c5728145789924c96d5c8786dde14054a1d2a39db9c22fa8b30db0d6e
-
SHA512
71cf734d2cdbcac81fd13e9dd84aeb59e90f92912687ed3020c08712ed5207da558f06e7891d49d921697cbfee29d8c3578fac08fdceacf454e4e6295c3baada
-
SSDEEP
12288:YBIL6hD2x/HAWbR2zS4si0O1A83u2BSDoCqKcty:Yw6uHAW92zt/0Wu2BSMCqD
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Microsoft Edge.exeMicrosoft Edge.exepid process 3660 Microsoft Edge.exe 1580 Microsoft Edge.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3360-0-0x0000000000AB0000-0x0000000000B36000-memory.dmp agile_net C:\Users\Admin\AppData\Roaming\Microsoft Edge\Microsoft Edge.exe agile_net -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2176 timeout.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
e38762223f23dd3373ba4bff00f94c7a_JaffaCakes118.exeMicrosoft Edge.exeMicrosoft Edge.exepid process 3360 e38762223f23dd3373ba4bff00f94c7a_JaffaCakes118.exe 3360 e38762223f23dd3373ba4bff00f94c7a_JaffaCakes118.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 3660 Microsoft Edge.exe 1580 Microsoft Edge.exe 1580 Microsoft Edge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
e38762223f23dd3373ba4bff00f94c7a_JaffaCakes118.exeMicrosoft Edge.exeMicrosoft Edge.exedescription pid process Token: SeDebugPrivilege 3360 e38762223f23dd3373ba4bff00f94c7a_JaffaCakes118.exe Token: SeDebugPrivilege 3660 Microsoft Edge.exe Token: SeDebugPrivilege 1580 Microsoft Edge.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e38762223f23dd3373ba4bff00f94c7a_JaffaCakes118.execmd.exedescription pid process target process PID 3360 wrote to memory of 4908 3360 e38762223f23dd3373ba4bff00f94c7a_JaffaCakes118.exe cmd.exe PID 3360 wrote to memory of 4908 3360 e38762223f23dd3373ba4bff00f94c7a_JaffaCakes118.exe cmd.exe PID 4908 wrote to memory of 2176 4908 cmd.exe timeout.exe PID 4908 wrote to memory of 2176 4908 cmd.exe timeout.exe PID 4908 wrote to memory of 2596 4908 cmd.exe schtasks.exe PID 4908 wrote to memory of 2596 4908 cmd.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e38762223f23dd3373ba4bff00f94c7a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e38762223f23dd3373ba4bff00f94c7a_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD7F1.tmp.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2176
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /f /sc MINUTE /mo 1 /tn "Microsoft Edge" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft Edge\Microsoft Edge.exe"'3⤵
- Creates scheduled task(s)
PID:2596
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2276,i,1205556100727695622,5044463180471657307,262144 --variations-seed-version /prefetch:81⤵PID:1188
-
C:\Users\Admin\AppData\Roaming\Microsoft Edge\Microsoft Edge.exe"C:\Users\Admin\AppData\Roaming\Microsoft Edge\Microsoft Edge.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
C:\Users\Admin\AppData\Roaming\Microsoft Edge\Microsoft Edge.exe"C:\Users\Admin\AppData\Roaming\Microsoft Edge\Microsoft Edge.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
266B
MD529ed0f942e492a9c2602e823eb9cbc38
SHA18a60f61ac7eddf9a38145517fb54b2744945c812
SHA256c40399d8f7c6883959ba23f18969da75e63334168cf37e7c7b5ba85422570303
SHA512b325e540bfab9ae91e8244dd9e23f0f7e711c9006c88d89d2f17ac551873877e381521fef4652edd5cec4ef77bb91a381ddda840bbf66d9f283bf1b85b8866be
-
Filesize
515KB
MD5e38762223f23dd3373ba4bff00f94c7a
SHA14689e1ce8b0377527b174c9b0e6f6b2d3f3771ab
SHA2564a6f525c5728145789924c96d5c8786dde14054a1d2a39db9c22fa8b30db0d6e
SHA51271cf734d2cdbcac81fd13e9dd84aeb59e90f92912687ed3020c08712ed5207da558f06e7891d49d921697cbfee29d8c3578fac08fdceacf454e4e6295c3baada