Analysis
-
max time kernel
148s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
06-05-2024 12:27
General
-
Target
1c7ed964dddd78ee5e8d3427e39fb613_JaffaCakes118.exe
-
Size
731KB
-
MD5
1c7ed964dddd78ee5e8d3427e39fb613
-
SHA1
e34a8c0d58ffe8228ccd18adcab3bd155012f7bb
-
SHA256
9f108d3210afe4fd08c411caa2cd5540c7d1501b419018c193d30eccca8b02df
-
SHA512
e2995588fd9b0a02e19f1eb9443d507b6160ae34a6e6d5b7d8749ae895eceda19cdf55c24d1b563bb8841c6dc05fdcf8a8b857f5ccfdede7ebbeeee8d8d3546b
-
SSDEEP
12288:164z/NTF6hT2H72/3DTYFC24a10Yw54xs0FzNiqosdA6F5mSZ/:gWF6hTCq3YFD4eosa6/
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 2 IoCs
-
Program crash 2 IoCs
-
Modifies data under HKEY_USERS 23 IoCs
-
Modifies registry class 32 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1c7ed964dddd78ee5e8d3427e39fb613_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1c7ed964dddd78ee5e8d3427e39fb613_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1c7ed964dddd78ee5e8d3427e39fb613_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1c7ed964dddd78ee5e8d3427e39fb613_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\zdejkye.exeC:\Users\Admin\AppData\Local\Temp\zdejkye.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zdejkye.exe"C:\Users\Admin\AppData\Local\Temp\zdejkye.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 6563⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 6763⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4648 -ip 46481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4648 -ip 46481⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD5c56f94cd3b37a4cfb2a4963bd150d6b7
SHA1ac7276f65b2601f68408d947475f16420d130b3f
SHA2561e7594c7d039dbf626103532a78d1696615068578bb0df919ec3e166d50ad8e3
SHA512d94848767ae7bbb872fcd34e063cb330db483d870b0156c9e84a9cdc5b359551f2c522e895c871ddd52f3d564dee2e9a5d46def1d072b4b515ad3c4d04b7347d
-
Filesize
731KB
MD51c7ed964dddd78ee5e8d3427e39fb613
SHA1e34a8c0d58ffe8228ccd18adcab3bd155012f7bb
SHA2569f108d3210afe4fd08c411caa2cd5540c7d1501b419018c193d30eccca8b02df
SHA512e2995588fd9b0a02e19f1eb9443d507b6160ae34a6e6d5b7d8749ae895eceda19cdf55c24d1b563bb8841c6dc05fdcf8a8b857f5ccfdede7ebbeeee8d8d3546b
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
657KB
-
Filesize
660KB
-
Filesize
660KB
-
Filesize
2.1MB
-
Filesize
2.3MB
-
Filesize
2.3MB