Analysis
-
max time kernel
138s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/04/2024, 12:10
Static task
static1
Behavioral task
behavioral1
Sample
f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
-
Size
356KB
-
MD5
f377c45fa62047578d8d8650e5468a27
-
SHA1
529a01aab9d23110f151fba78380bea04399914d
-
SHA256
3962f70709fe4787c59a4a71f488fc40ec405f7d309df9a4da11380ef3e1a569
-
SHA512
ba1606a5d36efd7a906f8e6c41aeb7e04003c0e2a2227fe15a157297601601a87050cb7321986d551d93e881dbd9bbfbf35b520f11f85005a31f30698b4a9e81
-
SSDEEP
6144:7vbx84d/xDLY1hn1sL9cXiBmagG12+cJfBUOyIjyDq:7XfLwsRcXciBUOf3
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 5060 GwK96GiyF.exe -
Executes dropped EXE 2 IoCs
pid Process 4544 GwK96GiyF.exe 5060 GwK96GiyF.exe -
Loads dropped DLL 4 IoCs
pid Process 2076 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 2076 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 5060 GwK96GiyF.exe 5060 GwK96GiyF.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\g06Ra0JrLFH9LsN = "C:\\ProgramData\\3NtR3IDwqdiJXVO\\GwK96GiyF.exe" f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4028 set thread context of 2076 4028 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 91 PID 4544 set thread context of 5060 4544 GwK96GiyF.exe 93 PID 5060 set thread context of 1392 5060 GwK96GiyF.exe 102 -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4028 wrote to memory of 2076 4028 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 91 PID 4028 wrote to memory of 2076 4028 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 91 PID 4028 wrote to memory of 2076 4028 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 91 PID 4028 wrote to memory of 2076 4028 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 91 PID 4028 wrote to memory of 2076 4028 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 91 PID 2076 wrote to memory of 4544 2076 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 92 PID 2076 wrote to memory of 4544 2076 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 92 PID 2076 wrote to memory of 4544 2076 f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe 92 PID 4544 wrote to memory of 5060 4544 GwK96GiyF.exe 93 PID 4544 wrote to memory of 5060 4544 GwK96GiyF.exe 93 PID 4544 wrote to memory of 5060 4544 GwK96GiyF.exe 93 PID 4544 wrote to memory of 5060 4544 GwK96GiyF.exe 93 PID 4544 wrote to memory of 5060 4544 GwK96GiyF.exe 93 PID 5060 wrote to memory of 1504 5060 GwK96GiyF.exe 99 PID 5060 wrote to memory of 1504 5060 GwK96GiyF.exe 99 PID 5060 wrote to memory of 1504 5060 GwK96GiyF.exe 99 PID 5060 wrote to memory of 1392 5060 GwK96GiyF.exe 102 PID 5060 wrote to memory of 1392 5060 GwK96GiyF.exe 102 PID 5060 wrote to memory of 1392 5060 GwK96GiyF.exe 102 PID 5060 wrote to memory of 1392 5060 GwK96GiyF.exe 102 PID 5060 wrote to memory of 1392 5060 GwK96GiyF.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\ProgramData\3NtR3IDwqdiJXVO\GwK96GiyF.exe"C:\ProgramData\3NtR3IDwqdiJXVO\GwK96GiyF.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\ProgramData\3NtR3IDwqdiJXVO\GwK96GiyF.exe"C:\ProgramData\3NtR3IDwqdiJXVO\GwK96GiyF.exe"4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" /i:50605⤵PID:1504
-
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe" /i:50605⤵PID:1392
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:1844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
356KB
MD5f377c45fa62047578d8d8650e5468a27
SHA1529a01aab9d23110f151fba78380bea04399914d
SHA2563962f70709fe4787c59a4a71f488fc40ec405f7d309df9a4da11380ef3e1a569
SHA512ba1606a5d36efd7a906f8e6c41aeb7e04003c0e2a2227fe15a157297601601a87050cb7321986d551d93e881dbd9bbfbf35b520f11f85005a31f30698b4a9e81
-
Filesize
356KB
MD5f8829d1ea210ffd3dff2f2d74cce7f60
SHA1b424f19679d41c7d67e0ca7472351e0e75204361
SHA256d329299b93ba484f9e4e0011e3e8391cf5b5688afffddf13ea9837e330a5b9ec
SHA5125c4dfa76c9ae6c7cd5db6897325e593d97a8a29b5f4f8afd387960292aae1474beed8e6c13b157240fb292261455d1a8731cce64632df378cbc6ff4093614239