2657b39661efb1b3fb0cc5fbf2328183bd65b8d1e4d69a085b3088993a7f6e29

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe
Size

506KB
MD5

f88dc792c27a883f781a03991ca51e53
SHA1

c0d031e7fa7d7c143a737953411c86ce4d6c9424
SHA256

2657b39661efb1b3fb0cc5fbf2328183bd65b8d1e4d69a085b3088993a7f6e29
SHA512

fc5baa654c4c5097407a16503e25e606644c218af2f64d0d3772dc0e93908ce3f19061083d64814038742e2ae0081f8a01d6718711473ab4f39f9165e15e188b
SSDEEP

12288:AcSDQEbrHbxiHbMJw+nexcsOpC14BQr1nSInFDbu7H47so9+:AcIQ6bw7MpS3//Bi7HE7Q

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4872	f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4872	f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	pastebin.com
15	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4872	f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4872	f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe
4872	f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3672	f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3672	f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe
4872	f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4872	3672	f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe	90
PID 3672 wrote to memory of 4872	3672	f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe	90
PID 3672 wrote to memory of 4872	3672	f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe	90
PID 4872 wrote to memory of 4636	4872	f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe	91
PID 4872 wrote to memory of 4636	4872	f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe	91
PID 4872 wrote to memory of 4636	4872	f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\AppData\Local\Temp\f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe" /TN Google_Trk_Updater /F
    3⤵
    - Creates scheduled task(s)
    PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f88dc792c27a883f781a03991ca51e53_JaffaCakes118.exe

Filesize
506KB

MD5
d798ccbf7a1834c7cad0fc8f99ef95ee

SHA1
3d86d88896c9fce778068e5aa95f90b51f6bc2dc

SHA256
b110f8766e558105424bd5b94f40752a863bc973c82c4a10908251834569254b

SHA512
8c3920d7b3c783bd7ea9064577eb127b7b294ed14bfeabadfc949adc07409271af2a4eb16d86002647a704f3be525f3886bd2185e52f97842d156d31966b8c78

Download Submit
memory/3672-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3672-1-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/3672-2-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3672-11-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4872-15-0x0000000001510000-0x0000000001593000-memory.dmp

Filesize
524KB

Download
memory/4872-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4872-20-0x00000000016F0000-0x000000000176E000-memory.dmp

Filesize
504KB

Download
memory/4872-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4872-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download