Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 18:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe
-
Size
796KB
-
MD5
f1ab64464f0534e75123ab6e5f42dd6c
-
SHA1
d9f427e676c7d17a2d2fdafd72ff383361014c83
-
SHA256
6dd06780f4dacd0f0fc9f044d6200e989e9435ef8977cc3a1396aebad13b1caf
-
SHA512
89ea99a14dad6a9e94dd191b32e5483472fbcaa3678fdc5a3ed3b0f3a177f2c6da20713705b9a9b517bea55364a8a3bc9c9181ccbfad6d3d87b2fa29bcc321e8
-
SSDEEP
12288:PKJRoPSM52au1bbL35noWJYjmAPjTrbksHMntHGrxV5YzJbotc6vq20QPXn:GKSc2autL3WOYNLStHGr+9ktc6vqm/
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exedescription pid Process procid_target PID 3800 set thread context of 2368 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 89 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exepid Process 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.execvtres.exedescription pid Process Token: SeDebugPrivilege 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2368 cvtres.exe Token: SeSecurityPrivilege 2368 cvtres.exe Token: SeTakeOwnershipPrivilege 2368 cvtres.exe Token: SeLoadDriverPrivilege 2368 cvtres.exe Token: SeSystemProfilePrivilege 2368 cvtres.exe Token: SeSystemtimePrivilege 2368 cvtres.exe Token: SeProfSingleProcessPrivilege 2368 cvtres.exe Token: SeIncBasePriorityPrivilege 2368 cvtres.exe Token: SeCreatePagefilePrivilege 2368 cvtres.exe Token: SeBackupPrivilege 2368 cvtres.exe Token: SeRestorePrivilege 2368 cvtres.exe Token: SeShutdownPrivilege 2368 cvtres.exe Token: SeDebugPrivilege 2368 cvtres.exe Token: SeSystemEnvironmentPrivilege 2368 cvtres.exe Token: SeChangeNotifyPrivilege 2368 cvtres.exe Token: SeRemoteShutdownPrivilege 2368 cvtres.exe Token: SeUndockPrivilege 2368 cvtres.exe Token: SeManageVolumePrivilege 2368 cvtres.exe Token: SeImpersonatePrivilege 2368 cvtres.exe Token: SeCreateGlobalPrivilege 2368 cvtres.exe Token: 33 2368 cvtres.exe Token: 34 2368 cvtres.exe Token: 35 2368 cvtres.exe Token: 36 2368 cvtres.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cvtres.exepid Process 2368 cvtres.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.execvtres.exedescription pid Process procid_target PID 3800 wrote to memory of 2368 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 89 PID 3800 wrote to memory of 2368 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 89 PID 3800 wrote to memory of 2368 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 89 PID 3800 wrote to memory of 2368 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 89 PID 3800 wrote to memory of 2368 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 89 PID 3800 wrote to memory of 2368 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 89 PID 3800 wrote to memory of 2368 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 89 PID 3800 wrote to memory of 2368 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 89 PID 3800 wrote to memory of 2368 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 89 PID 3800 wrote to memory of 2368 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 89 PID 3800 wrote to memory of 2368 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 89 PID 3800 wrote to memory of 2368 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 89 PID 3800 wrote to memory of 2368 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 89 PID 3800 wrote to memory of 2368 3800 f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe 89 PID 2368 wrote to memory of 1432 2368 cvtres.exe 90 PID 2368 wrote to memory of 1432 2368 cvtres.exe 90 PID 2368 wrote to memory of 1432 2368 cvtres.exe 90 PID 2368 wrote to memory of 3480 2368 cvtres.exe 91 PID 2368 wrote to memory of 3480 2368 cvtres.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f1ab64464f0534e75123ab6e5f42dd6c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:1432
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:3480
-
-