Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2024, 04:07
Static task
static1
Behavioral task
behavioral1
Sample
fbe43fc93b56d678f5b6d33f3b0d65b0_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fbe43fc93b56d678f5b6d33f3b0d65b0_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fbe43fc93b56d678f5b6d33f3b0d65b0_JaffaCakes118.exe
-
Size
711KB
-
MD5
fbe43fc93b56d678f5b6d33f3b0d65b0
-
SHA1
2f76eee1c752d3894cdbb52841bd08fb0d20ddc1
-
SHA256
2ffee4f8944dd5d8cb197da1f91cc85e453471b555b854f83a32c5b380d1a071
-
SHA512
3ca078f44dbccb5c65d7a4c5b1f7e25167f7bd883ceaed45bf9d4cf8795da192b0052c3b0f3d10855e88d5cd667864ecd88e0114e4e027756c1ce5181f1d702c
-
SSDEEP
12288:0MViJAFvKqrhxrVsVpp7gx6v6XzD/Dgg6P7EBf8tsMm9nAO3BT5UyFLD:hiKFv5jsHp7iXzDaP7+6O3B9FP
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4080 servers.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4080 set thread context of 1068 4080 servers.exe 99 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\servers.exe fbe43fc93b56d678f5b6d33f3b0d65b0_JaffaCakes118.exe File opened for modification C:\Windows\servers.exe fbe43fc93b56d678f5b6d33f3b0d65b0_JaffaCakes118.exe -
Program crash 5 IoCs
pid pid_target Process procid_target 2232 2396 WerFault.exe 85 5108 2396 WerFault.exe 85 3436 4080 WerFault.exe 94 696 4080 WerFault.exe 94 2488 1068 WerFault.exe 99 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2396 fbe43fc93b56d678f5b6d33f3b0d65b0_JaffaCakes118.exe Token: SeDebugPrivilege 4080 servers.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4080 wrote to memory of 1068 4080 servers.exe 99 PID 4080 wrote to memory of 1068 4080 servers.exe 99 PID 4080 wrote to memory of 1068 4080 servers.exe 99 PID 4080 wrote to memory of 1068 4080 servers.exe 99 PID 4080 wrote to memory of 1068 4080 servers.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbe43fc93b56d678f5b6d33f3b0d65b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fbe43fc93b56d678f5b6d33f3b0d65b0_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 2202⤵
- Program crash
PID:2232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 2282⤵
- Program crash
PID:5108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2396 -ip 23961⤵PID:1508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2396 -ip 23961⤵PID:4692
-
C:\Windows\servers.exeC:\Windows\servers.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 2162⤵
- Program crash
PID:3436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 2242⤵
- Program crash
PID:696
-
-
C:\WINDOWS\SysWOW64\svchost.exeC:\WINDOWS\system32\svchost.exe2⤵PID:1068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 123⤵
- Program crash
PID:2488
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4080 -ip 40801⤵PID:2700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4080 -ip 40801⤵PID:1048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1068 -ip 10681⤵PID:1872
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
711KB
MD5fbe43fc93b56d678f5b6d33f3b0d65b0
SHA12f76eee1c752d3894cdbb52841bd08fb0d20ddc1
SHA2562ffee4f8944dd5d8cb197da1f91cc85e453471b555b854f83a32c5b380d1a071
SHA5123ca078f44dbccb5c65d7a4c5b1f7e25167f7bd883ceaed45bf9d4cf8795da192b0052c3b0f3d10855e88d5cd667864ecd88e0114e4e027756c1ce5181f1d702c