Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 20:31
Static task
static1
Behavioral task
behavioral1
Sample
5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
5b51fcb93e6d3718bba97e531ba8ad2d
-
SHA1
3ea027b5382e84f2936fc688781de0a2fc167db1
-
SHA256
b2d23e455eb56451966097d786f7b7e3a056e693f7811b179147da1603850aef
-
SHA512
76242227fc5b7d07973c45ae541eb050e212e9136cd5b1b8abbf9c963d1493f5333bdcffcf6029c04ba81dd7e5d9f9330f67038d82ff80ab7d1b677e69e679d8
-
SSDEEP
12288:EQbgTLDAmuSRNHNwmFUMJW48HGO+hfuQ/c0TQyZKpL9GQ5Qw:EQkTLMmuSRNHNwmFUEZ4GOIft/1Qp9GA
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" 5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exemstsc.exedescription pid process target process PID 2452 set thread context of 844 2452 5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe mstsc.exe PID 844 set thread context of 4552 844 mstsc.exe iexplore.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exemstsc.exedescription pid process target process PID 2452 wrote to memory of 844 2452 5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe mstsc.exe PID 2452 wrote to memory of 844 2452 5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe mstsc.exe PID 2452 wrote to memory of 844 2452 5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe mstsc.exe PID 2452 wrote to memory of 844 2452 5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe mstsc.exe PID 2452 wrote to memory of 844 2452 5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe mstsc.exe PID 844 wrote to memory of 4552 844 mstsc.exe iexplore.exe PID 844 wrote to memory of 4552 844 mstsc.exe iexplore.exe PID 844 wrote to memory of 4552 844 mstsc.exe iexplore.exe PID 844 wrote to memory of 4552 844 mstsc.exe iexplore.exe PID 844 wrote to memory of 4552 844 mstsc.exe iexplore.exe PID 844 wrote to memory of 4552 844 mstsc.exe iexplore.exe PID 844 wrote to memory of 4552 844 mstsc.exe iexplore.exe PID 844 wrote to memory of 4552 844 mstsc.exe iexplore.exe PID 844 wrote to memory of 4552 844 mstsc.exe iexplore.exe PID 844 wrote to memory of 4552 844 mstsc.exe iexplore.exe PID 844 wrote to memory of 4552 844 mstsc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5b51fcb93e6d3718bba97e531ba8ad2d_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:4552