Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 02:48
Static task
static1
Behavioral task
behavioral1
Sample
08dac7cd7811478ca3034abea01f7ef3_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
08dac7cd7811478ca3034abea01f7ef3_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
08dac7cd7811478ca3034abea01f7ef3_JaffaCakes118.exe
-
Size
120KB
-
MD5
08dac7cd7811478ca3034abea01f7ef3
-
SHA1
39fb4257800f4ea0225f5dbd3f6784148d8a0b35
-
SHA256
11dbb021b663c84e26663121e993e3384f793267426373e8e1b0e5d335fb22ba
-
SHA512
e17ce09a80f3141399a75ca7bba7f24d7a8f3b40cea23654b2cd6e94e3c854627c50acb23845e7a882d74abb94e4c400829183fd60af6c4851052fb9e4d58d52
-
SSDEEP
3072:jsSVfjdK41ap0intKLzKhiEQnE4qXYjXqX:jsSxw41aSitSOhiEQdAX
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies matrixcycle.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 matrixcycle.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 matrixcycle.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE matrixcycle.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" matrixcycle.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix matrixcycle.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" matrixcycle.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3388 matrixcycle.exe 3388 matrixcycle.exe 3388 matrixcycle.exe 3388 matrixcycle.exe 3388 matrixcycle.exe 3388 matrixcycle.exe 3388 matrixcycle.exe 3388 matrixcycle.exe 3388 matrixcycle.exe 3388 matrixcycle.exe 3388 matrixcycle.exe 3388 matrixcycle.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1424 08dac7cd7811478ca3034abea01f7ef3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3912 wrote to memory of 1424 3912 08dac7cd7811478ca3034abea01f7ef3_JaffaCakes118.exe 86 PID 3912 wrote to memory of 1424 3912 08dac7cd7811478ca3034abea01f7ef3_JaffaCakes118.exe 86 PID 3912 wrote to memory of 1424 3912 08dac7cd7811478ca3034abea01f7ef3_JaffaCakes118.exe 86 PID 3472 wrote to memory of 3388 3472 matrixcycle.exe 88 PID 3472 wrote to memory of 3388 3472 matrixcycle.exe 88 PID 3472 wrote to memory of 3388 3472 matrixcycle.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\08dac7cd7811478ca3034abea01f7ef3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\08dac7cd7811478ca3034abea01f7ef3_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\08dac7cd7811478ca3034abea01f7ef3_JaffaCakes118.exe--96f825192⤵
- Suspicious behavior: RenamesItself
PID:1424
-
-
C:\Windows\SysWOW64\matrixcycle.exe"C:\Windows\SysWOW64\matrixcycle.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\matrixcycle.exe--de40dafb2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3388
-
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
156 B 3