Analysis
-
max time kernel
94s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 05:13
Behavioral task
behavioral1
Sample
f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe
-
Size
5.4MB
-
MD5
f51b489073e0a0e9fff1a9d8f0e09185
-
SHA1
c8a2cf999334870c51ead8e366ce51ee916b6e3f
-
SHA256
e4c2460165de097c187d1a646cfc513d32a9130a0e3fe40a359f82b54987bb23
-
SHA512
c724d3245868a6a6a90ad0f169ba39857f192809ac0e0b7919ebd53ca7669080703571fd235e129130ddc157286534905dcb6ca7e951e7d8ce3347184eb89484
-
SSDEEP
98304:7aK90IOLFoFMy2Wt6E8jtpOEv9NdHkyLhiCyIgFfffHyBUMUbv5wOJERH:X9POJa2WD69Nay8Mg1ffS2/K4ER
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1104-2-0x0000000000E10000-0x00000000016C0000-memory.dmp vmprotect behavioral2/memory/1104-66-0x0000000000E10000-0x00000000016C0000-memory.dmp vmprotect -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 icanhazip.com -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1104 f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe 1104 f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe 1588 powershell.exe 1588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 1588 powershell.exe Token: SeIncreaseQuotaPrivilege 1588 powershell.exe Token: SeSecurityPrivilege 1588 powershell.exe Token: SeTakeOwnershipPrivilege 1588 powershell.exe Token: SeLoadDriverPrivilege 1588 powershell.exe Token: SeSystemProfilePrivilege 1588 powershell.exe Token: SeSystemtimePrivilege 1588 powershell.exe Token: SeProfSingleProcessPrivilege 1588 powershell.exe Token: SeIncBasePriorityPrivilege 1588 powershell.exe Token: SeCreatePagefilePrivilege 1588 powershell.exe Token: SeBackupPrivilege 1588 powershell.exe Token: SeRestorePrivilege 1588 powershell.exe Token: SeShutdownPrivilege 1588 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeSystemEnvironmentPrivilege 1588 powershell.exe Token: SeRemoteShutdownPrivilege 1588 powershell.exe Token: SeUndockPrivilege 1588 powershell.exe Token: SeManageVolumePrivilege 1588 powershell.exe Token: 33 1588 powershell.exe Token: 34 1588 powershell.exe Token: 35 1588 powershell.exe Token: 36 1588 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1104 wrote to memory of 4624 1104 f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe 90 PID 1104 wrote to memory of 4624 1104 f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe 90 PID 1104 wrote to memory of 4624 1104 f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe 90 PID 4624 wrote to memory of 1588 4624 cmd.exe 92 PID 4624 wrote to memory of 1588 4624 cmd.exe 92 PID 4624 wrote to memory of 1588 4624 cmd.exe 92 PID 1104 wrote to memory of 4036 1104 f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe 97 PID 1104 wrote to memory of 4036 1104 f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe 97 PID 1104 wrote to memory of 4036 1104 f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MAC.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-NetAdapter3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\GenReg.exe" [29548]--[441325395]--[14774,14774c,14774w,14774wc]--[330994046,330994046c]2⤵PID:4036
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42B
MD556120ea7d97e691243935b98d32f4b65
SHA1f89f6249a946882410de06765ec07e11f2608177
SHA2561d6a29ec8b4f624b3246450c2a34ae1a8b3e35cdc7f3fa86a680e14169e01a67
SHA5124cda70d6283fc48105a64c157c50fbe61bc5c77aa0f28e8c1176943cfdfa4345df77f09573d49ff896830cfc8315547a453a7bcbe68c00dd140b99ead94c8b5b
-
Filesize
369B
MD514ffde76db65568c139e7d55e00085e1
SHA1f6013770a0a3be2f924851a8a17a251568cbfbda
SHA256402acf83f09cf87461b4a25d9b09cb3d197e79883ad526c3efc9911114717eab
SHA51208023212fa359d7a9b34785b15101f9632ffd49430e0a60cfb05bdd7fa3a87ff573a4a976c2068bdec5d723b1b6ed2e5dc870ebad9601e59cf071e607b0b4248
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82