Resubmissions
04-05-2024 21:51
240504-1qqv3scc8z 1004-05-2024 21:49
240504-1pnpbsfd78 1004-05-2024 20:06
240504-yvtfnahf9x 10Analysis
-
max time kernel
52s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 21:49
Behavioral task
behavioral1
Sample
14482d720ca414b66340964da9d65036_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Errors
General
-
Target
14482d720ca414b66340964da9d65036_JaffaCakes118.exe
-
Size
69KB
-
MD5
14482d720ca414b66340964da9d65036
-
SHA1
6e37ac5c955f17bf5eab8c150179d4a9d41f6045
-
SHA256
b323df0d03003d63a31e6b6c629f261e70806df26772548346a98e74dff7795d
-
SHA512
4a0c7fbd958bf766f2e84e95a82c6604b8b4e46ade9880c6cf9395a80c35a355efa1679dc1fdcd86c277c5ed4d5c03e5e5f5b9c091dfd75fc0bab93974b8ac70
-
SSDEEP
1536:rZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAmMqqU+2bbbAV2/S2Lccu:rBounVyFHjMqqDL2/Lcc
Malware Config
Signatures
-
GandCrab payload 1 IoCs
resource yara_rule behavioral1/memory/2336-0-0x000000000FDE0000-0x000000000FDF6000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3144 2336 WerFault.exe 81 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "159" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 404 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 404 taskmgr.exe Token: SeSystemProfilePrivilege 404 taskmgr.exe Token: SeCreateGlobalPrivilege 404 taskmgr.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
pid Process 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe -
Suspicious use of SendNotifyMessage 62 IoCs
pid Process 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3576 LogonUI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14482d720ca414b66340964da9d65036_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\14482d720ca414b66340964da9d65036_JaffaCakes118.exe"1⤵PID:2336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 3442⤵
- Program crash
PID:3144
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2336 -ip 23361⤵PID:316
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:404
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5084
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3934055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3576