Analysis
-
max time kernel
60s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 17:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
035a27584ca5c489b0f5b3e58fccb139_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
300 seconds
Behavioral task
behavioral2
Sample
035a27584ca5c489b0f5b3e58fccb139_JaffaCakes118.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
15 signatures
300 seconds
General
-
Target
035a27584ca5c489b0f5b3e58fccb139_JaffaCakes118.exe
-
Size
941KB
-
MD5
035a27584ca5c489b0f5b3e58fccb139
-
SHA1
f1a41d791ff9578621714ddf35edd110e1dc1b17
-
SHA256
e93b9a00886b7a569dc09337361d246c4ac74d3a061579ea4ad33b9ad19f7bde
-
SHA512
82d13b467fb2ba330efc01e66cff1800e43b18e48bedd52e578cfd68ce8f71de8699818c73aab5532dc4ccb260df9c0848da6446d8ec444de4c2e770d34f08f1
-
SSDEEP
24576:3eFW2Er1a0wJleRvG92zfcj3QNff+Ia18V4:3eFuA9wvGATkAhf/i8i
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/116-16-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/116-26-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/116-27-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/116-29-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/116-32-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/116-31-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/116-28-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/116-106-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/116-121-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/116-124-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/116-123-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/116-125-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/116-126-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/116-127-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 035a27584ca5c489b0f5b3e58fccb139_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 2836 chrome.exe 2836 chrome.exe 116 035a27584ca5c489b0f5b3e58fccb139_JaffaCakes118.exe 116 035a27584ca5c489b0f5b3e58fccb139_JaffaCakes118.exe 116 035a27584ca5c489b0f5b3e58fccb139_JaffaCakes118.exe 116 035a27584ca5c489b0f5b3e58fccb139_JaffaCakes118.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeShutdownPrivilege 2836 chrome.exe Token: SeCreatePagefilePrivilege 2836 chrome.exe Token: SeShutdownPrivilege 2836 chrome.exe Token: SeCreatePagefilePrivilege 2836 chrome.exe Token: SeDebugPrivilege 1336 taskmgr.exe Token: SeSystemProfilePrivilege 1336 taskmgr.exe Token: SeCreateGlobalPrivilege 1336 taskmgr.exe Token: 33 1336 taskmgr.exe Token: SeIncBasePriorityPrivilege 1336 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 2836 chrome.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe 1336 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2836 wrote to memory of 4560 2836 chrome.exe 91 PID 2836 wrote to memory of 4560 2836 chrome.exe 91 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 4240 2836 chrome.exe 92 PID 2836 wrote to memory of 3804 2836 chrome.exe 93 PID 2836 wrote to memory of 3804 2836 chrome.exe 93 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94 PID 2836 wrote to memory of 4252 2836 chrome.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\035a27584ca5c489b0f5b3e58fccb139_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\035a27584ca5c489b0f5b3e58fccb139_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:116
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffdfb8cc40,0x7fffdfb8cc4c,0x7fffdfb8cc582⤵PID:4560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,15236839078099675274,14252849324474493729,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1884 /prefetch:22⤵PID:4240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,15236839078099675274,14252849324474493729,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2156 /prefetch:32⤵PID:3804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,15236839078099675274,14252849324474493729,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2596 /prefetch:82⤵PID:4252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,15236839078099675274,14252849324474493729,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3140 /prefetch:12⤵PID:912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3376,i,15236839078099675274,14252849324474493729,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:3476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4504,i,15236839078099675274,14252849324474493729,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4512 /prefetch:12⤵PID:3616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3116,i,15236839078099675274,14252849324474493729,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4456 /prefetch:12⤵PID:316
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:3524
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1336
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
941KB
MD5035a27584ca5c489b0f5b3e58fccb139
SHA1f1a41d791ff9578621714ddf35edd110e1dc1b17
SHA256e93b9a00886b7a569dc09337361d246c4ac74d3a061579ea4ad33b9ad19f7bde
SHA51282d13b467fb2ba330efc01e66cff1800e43b18e48bedd52e578cfd68ce8f71de8699818c73aab5532dc4ccb260df9c0848da6446d8ec444de4c2e770d34f08f1
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
8KB
MD51b53ee8f46c1666863bd1e1cca2841dc
SHA1a1e48dd75435fa37e29c94b9a4bb814c5aac9432
SHA2568cf5f37970c9ce0a7c1e7f70f14a2e217f9b4765e2c4a24fe18c0d4c362f705b
SHA5124b89f68477762fba423080e25b9f4a9162ac072775696499c283ef4802d56fbc435704e87686e14b1ab0c4938b5fa602f7876fae2ae9e77f05694fcc84be89b6
-
Filesize
77KB
MD56eeb65f5414a1dca543081be7aaf11f0
SHA153a604e8d00009a9225d44a97ed3f045cb59f221
SHA25661e1dad6c61ba63987b175a79c804c177961551e9edbc4dd064ae81ac55f0b1e
SHA51242160d2698726458d4bcd8285ed2748ba78f1942ed533b333cbc2a5473a5ad9c48b7afb4ec5ead87ace532a9a37788039ea0b9e1bc6b7eb892d6f6cd048406a7