Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 18:15
Behavioral task
behavioral1
Sample
3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exe
-
Size
109KB
-
MD5
3066d1b2e84e8444082d70a1ad90c017
-
SHA1
3bd522bd7256095774f78ba98ea0f4085651b88a
-
SHA256
61ffe36301e722b85088cfceb5d5a703e57eff907119ef305dc92da45c254aaf
-
SHA512
84c61d702d184538cbdac5d99ae18cc9abd6aef456db3133fb1a694aca2947683f098d6601964c633c274358b9b510761e6afee8adfaea03e23609cd654a8fc9
-
SSDEEP
3072:OCrRG9LEWHyMp6awrpEoNLna7EP7S5p1gRk:OCrs0JaYvnDPgg2
Malware Config
Signatures
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 177.231.157.189 -
Drops file in System32 directory 4 IoCs
Processes:
bearsribbon.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 bearsribbon.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE bearsribbon.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies bearsribbon.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 bearsribbon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
bearsribbon.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix bearsribbon.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" bearsribbon.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" bearsribbon.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
bearsribbon.exepid process 3540 bearsribbon.exe 3540 bearsribbon.exe 3540 bearsribbon.exe 3540 bearsribbon.exe 3540 bearsribbon.exe 3540 bearsribbon.exe 3540 bearsribbon.exe 3540 bearsribbon.exe 3540 bearsribbon.exe 3540 bearsribbon.exe 3540 bearsribbon.exe 3540 bearsribbon.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exepid process 5068 3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exebearsribbon.exedescription pid process target process PID 4424 wrote to memory of 5068 4424 3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exe 3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exe PID 4424 wrote to memory of 5068 4424 3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exe 3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exe PID 4424 wrote to memory of 5068 4424 3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exe 3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exe PID 1500 wrote to memory of 3540 1500 bearsribbon.exe bearsribbon.exe PID 1500 wrote to memory of 3540 1500 bearsribbon.exe bearsribbon.exe PID 1500 wrote to memory of 3540 1500 bearsribbon.exe bearsribbon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3066d1b2e84e8444082d70a1ad90c017_JaffaCakes118.exe--57754af62⤵
- Suspicious behavior: RenamesItself
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:81⤵
-
C:\Windows\SysWOW64\bearsribbon.exe"C:\Windows\SysWOW64\bearsribbon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bearsribbon.exe--f72f590b2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1500-6-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1500-7-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3540-11-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3540-12-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3540-15-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4424-0-0x0000000002020000-0x0000000002031000-memory.dmpFilesize
68KB
-
memory/4424-3-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4424-2-0x0000000002020000-0x0000000002031000-memory.dmpFilesize
68KB
-
memory/5068-4-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5068-10-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB