Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 16:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6404079117fdcfa3a34eecb4009b407e_JaffaCakes118.exe
Resource
win7-20240508-en
7 signatures
150 seconds
General
-
Target
6404079117fdcfa3a34eecb4009b407e_JaffaCakes118.exe
-
Size
128KB
-
MD5
6404079117fdcfa3a34eecb4009b407e
-
SHA1
1a0455583d0dfa71b8cf00a431ec9fb034e31670
-
SHA256
bbd2e2fbf9de689b293485b4cd01e9455201a3974a3082b68862e2e98d76d65c
-
SHA512
52cf0670e2b3106fa6fba0e1a34bc6e9588d2c66ed63a6c85119b8cd5c6709f4feb8d0918d0b953eb1290733a6aadf3adbdb61170c09e83954f052499c4c4709
-
SSDEEP
3072:nPAAAAAAAAAAAAAAAAAA0AAA6XWAAAAAAAAoAAAAAAAAAAAAAAAAAAAAAALo9AAe:dS2eSATfi7I1RVJ
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 shedaudio.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE shedaudio.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies shedaudio.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 shedaudio.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" shedaudio.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" shedaudio.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix shedaudio.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1036 shedaudio.exe 1036 shedaudio.exe 1036 shedaudio.exe 1036 shedaudio.exe 1036 shedaudio.exe 1036 shedaudio.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1844 6404079117fdcfa3a34eecb4009b407e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4948 wrote to memory of 1844 4948 6404079117fdcfa3a34eecb4009b407e_JaffaCakes118.exe 87 PID 4948 wrote to memory of 1844 4948 6404079117fdcfa3a34eecb4009b407e_JaffaCakes118.exe 87 PID 4948 wrote to memory of 1844 4948 6404079117fdcfa3a34eecb4009b407e_JaffaCakes118.exe 87 PID 2364 wrote to memory of 1036 2364 shedaudio.exe 100 PID 2364 wrote to memory of 1036 2364 shedaudio.exe 100 PID 2364 wrote to memory of 1036 2364 shedaudio.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\6404079117fdcfa3a34eecb4009b407e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6404079117fdcfa3a34eecb4009b407e_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\6404079117fdcfa3a34eecb4009b407e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6404079117fdcfa3a34eecb4009b407e_JaffaCakes118.exe"2⤵
- Suspicious behavior: RenamesItself
PID:1844
-
-
C:\Windows\SysWOW64\shedaudio.exeC:\Windows\SysWOW64\shedaudio.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\shedaudio.exe"C:\Windows\SysWOW64\shedaudio.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1036
-