Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 21:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe
-
Size
91KB
-
MD5
26d6aa10ad93d6aa5281483ac169bf3a
-
SHA1
331f191e3a85d7e97810ae62617c5a0d9b2babce
-
SHA256
07a2a449026acd0e941bfc8138266a5399e5a78f6ce5dc926a30d45c41558f11
-
SHA512
6a70376301a1c811f3fce2ab74f67dcf302aad6a0fc172aa86ffce6c7850d85be797af7bdb5386b5235e543ac50da2dbb20992aa5634a4be710a8067054d26f4
-
SSDEEP
1536:bw54SjpaSUkBy3y4OWinukAPzSatP4zlkwKQuvFboV8jXSk:ypIXJOWinZah4zgTvxoVcXS
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 sendarr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE sendarr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies sendarr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 sendarr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix sendarr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" sendarr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" sendarr.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 4604 26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe 4604 26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe 4620 26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe 4620 26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe 1332 sendarr.exe 1332 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe 4112 sendarr.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4620 26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4604 wrote to memory of 4620 4604 26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe 86 PID 4604 wrote to memory of 4620 4604 26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe 86 PID 4604 wrote to memory of 4620 4604 26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe 86 PID 1332 wrote to memory of 4112 1332 sendarr.exe 88 PID 1332 wrote to memory of 4112 1332 sendarr.exe 88 PID 1332 wrote to memory of 4112 1332 sendarr.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:4620
-
-
C:\Windows\SysWOW64\sendarr.exe"C:\Windows\SysWOW64\sendarr.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\sendarr.exe"C:\Windows\SysWOW64\sendarr.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4112
-