Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 17:57
Behavioral task
behavioral1
Sample
606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe
-
Size
5.7MB
-
MD5
606f2cb5a70ef9cbfe6ef2d9775cd821
-
SHA1
7e635fa0abce2ca6acc50ec87a55e17a46d04bdd
-
SHA256
5e071d2b8e580c076d3d750a58c0aa27789ed23a9d049dfa8ba7dd935c5c3d26
-
SHA512
fe2ab43520dfa0f61114874e687484af078c668e3b575ae94b949eefdeee57c91dd76b8afa581c32a5e0f14b4701958522cad0848cb7af0c5a78e02b0db45795
-
SSDEEP
98304:57Fm8ncsncjcIc0VzEPh24GA0mc+tzSMBQbkBxpa2t25z5eFB2sQ444pE:5esc4+VAPhfD0mT1BQbiv25z5eF0sQfN
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2088 webstore.exe 4528 webstore.exe -
resource yara_rule behavioral2/memory/656-3-0x0000000000400000-0x0000000000DA2000-memory.dmp vmprotect behavioral2/memory/656-9-0x0000000000400000-0x0000000000DA2000-memory.dmp vmprotect behavioral2/files/0x0007000000023234-23.dat vmprotect behavioral2/memory/2088-31-0x0000000000400000-0x0000000000DA2000-memory.dmp vmprotect behavioral2/memory/2088-32-0x0000000000400000-0x0000000000DA2000-memory.dmp vmprotect behavioral2/memory/2088-37-0x0000000000400000-0x0000000000DA2000-memory.dmp vmprotect behavioral2/memory/656-39-0x0000000000400000-0x0000000000DA2000-memory.dmp vmprotect behavioral2/memory/2088-40-0x0000000000400000-0x0000000000DA2000-memory.dmp vmprotect behavioral2/memory/4528-49-0x0000000000400000-0x0000000000DA2000-memory.dmp vmprotect -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 23 iplogger.com 24 iplogger.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1396 schtasks.exe 1452 schtasks.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 65 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe 2088 webstore.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 656 wrote to memory of 2088 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 92 PID 656 wrote to memory of 2088 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 92 PID 656 wrote to memory of 2088 656 606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe 92 PID 2088 wrote to memory of 1396 2088 webstore.exe 95 PID 2088 wrote to memory of 1396 2088 webstore.exe 95 PID 2088 wrote to memory of 1396 2088 webstore.exe 95 PID 4528 wrote to memory of 1452 4528 webstore.exe 105 PID 4528 wrote to memory of 1452 4528 webstore.exe 105 PID 4528 wrote to memory of 1452 4528 webstore.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\606f2cb5a70ef9cbfe6ef2d9775cd821_JaffaCakes118.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Users\Admin\AppData\Roaming\Jukebox\webstore.exewebstore.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\schtasks.exe /create /tn System\SystemUpdate /tr "C:\Users\Admin\AppData\Roaming\Jukebox\webstore.exe" /st 00:00 /sc once /du 9999:59 /ri 5 /f3⤵
- Creates scheduled task(s)
PID:1396
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4788 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵PID:4140
-
C:\Users\Admin\AppData\Roaming\Jukebox\webstore.exeC:\Users\Admin\AppData\Roaming\Jukebox\webstore.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\schtasks.exe /create /tn System\SystemUpdate /tr "C:\Users\Admin\AppData\Roaming\Jukebox\webstore.exe" /st 00:00 /sc once /du 9999:59 /ri 5 /f2⤵
- Creates scheduled task(s)
PID:1452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.7MB
MD5606f2cb5a70ef9cbfe6ef2d9775cd821
SHA17e635fa0abce2ca6acc50ec87a55e17a46d04bdd
SHA2565e071d2b8e580c076d3d750a58c0aa27789ed23a9d049dfa8ba7dd935c5c3d26
SHA512fe2ab43520dfa0f61114874e687484af078c668e3b575ae94b949eefdeee57c91dd76b8afa581c32a5e0f14b4701958522cad0848cb7af0c5a78e02b0db45795