Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 20:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
6 signatures
150 seconds
General
-
Target
60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
-
Size
144KB
-
MD5
60f308c539feac706dcd2c85831771cb
-
SHA1
862d8459c8114216aee8794282dc0cf457630c97
-
SHA256
955c85525dae7239e7014520cf100f59f9303ef86c9dcd3449d36673de364857
-
SHA512
ed08e61e2c1aa7659a9421dc963e047ed0ad89318388af50fbe46303cafa1d4962dee4fb97f54dc060a72b79faf6168c71158d6ffb924d7a6b4062fbb62a049b
-
SSDEEP
3072:Dlll3NCpoO6BfDbCgwF+a5p1n4eM2kXjSBGNREQW:DhocfDbC/Fr4PzSBGNRL
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4856 svchost.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
60f308c539feac706dcd2c85831771cb_JaffaCakes118.exesvchost.exepid process 3176 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe 3176 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe 3176 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe 3176 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe 4856 svchost.exe 4856 svchost.exe 4856 svchost.exe 4856 svchost.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
whoami.exedescription pid process Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe Token: SeDebugPrivilege 2800 whoami.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
60f308c539feac706dcd2c85831771cb_JaffaCakes118.exesvchost.exedescription pid process target process PID 3176 wrote to memory of 4856 3176 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe svchost.exe PID 3176 wrote to memory of 4856 3176 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe svchost.exe PID 3176 wrote to memory of 4856 3176 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe svchost.exe PID 3176 wrote to memory of 4856 3176 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe svchost.exe PID 4856 wrote to memory of 2800 4856 svchost.exe whoami.exe PID 4856 wrote to memory of 2800 4856 svchost.exe whoami.exe PID 4856 wrote to memory of 2800 4856 svchost.exe whoami.exe PID 4856 wrote to memory of 4608 4856 svchost.exe net.exe PID 4856 wrote to memory of 4608 4856 svchost.exe net.exe PID 4856 wrote to memory of 4608 4856 svchost.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\whoami.exeC:\Windows\system32\whoami.exe /all3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe view3⤵
- Discovers systems in the same network
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3176-1-0x0000000000B80000-0x0000000000B86000-memory.dmpFilesize
24KB
-
memory/3176-0-0x0000000000BB0000-0x0000000000BD5000-memory.dmpFilesize
148KB
-
memory/3176-2-0x0000000000BB0000-0x0000000000BD5000-memory.dmpFilesize
148KB
-
memory/4856-5-0x0000000076252000-0x0000000076253000-memory.dmpFilesize
4KB
-
memory/4856-3-0x0000000002C50000-0x0000000002C51000-memory.dmpFilesize
4KB
-
memory/4856-12-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4856-14-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4856-19-0x0000000076200000-0x00000000762F0000-memory.dmpFilesize
960KB
-
memory/4856-13-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4856-11-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4856-10-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4856-9-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4856-8-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4856-7-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/4856-31-0x0000000076200000-0x00000000762F0000-memory.dmpFilesize
960KB