Analysis
-
max time kernel
137s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 17:00
Static task
static1
Behavioral task
behavioral1
Sample
640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
-
Size
102KB
-
MD5
640f2a05a264b6897ed17f0edb228ed4
-
SHA1
074b1a2ad44bd169cbab2454bd5ddc9ab1194ee2
-
SHA256
f478208ceeb20cc093d38b1c1a670ae535ba3a6b8b2b0cf68f9f39ab1208531a
-
SHA512
2cb7bcc943726422d4e0121c4a05256ba371a412094fb8bc6172752e46181ff12e426d54ea4ef8a8f1903842533f9d455db28a3afb968fda4031d069e5df1dad
-
SSDEEP
3072:pWzSlLzc1hIOBWL/FWes1qqdPPqDRR2GdF5cb:pflGrMLtEDnqDz7d
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
WarningSnippets.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 WarningSnippets.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE WarningSnippets.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies WarningSnippets.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 WarningSnippets.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
WarningSnippets.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix WarningSnippets.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" WarningSnippets.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" WarningSnippets.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
WarningSnippets.exepid process 3608 WarningSnippets.exe 3608 WarningSnippets.exe 3608 WarningSnippets.exe 3608 WarningSnippets.exe 3608 WarningSnippets.exe 3608 WarningSnippets.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exepid process 4256 640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exeWarningSnippets.exedescription pid process target process PID 4336 wrote to memory of 4256 4336 640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe 640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe PID 4336 wrote to memory of 4256 4336 640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe 640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe PID 4336 wrote to memory of 4256 4336 640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe 640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe PID 4260 wrote to memory of 3608 4260 WarningSnippets.exe WarningSnippets.exe PID 4260 wrote to memory of 3608 4260 WarningSnippets.exe WarningSnippets.exe PID 4260 wrote to memory of 3608 4260 WarningSnippets.exe WarningSnippets.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe"2⤵
- Suspicious behavior: RenamesItself
PID:4256
-
C:\Windows\SysWOW64\WarningSnippets.exeC:\Windows\SysWOW64\WarningSnippets.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\WarningSnippets.exe"C:\Windows\SysWOW64\WarningSnippets.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3608-22-0x00000000005F0000-0x00000000005FE000-memory.dmpFilesize
56KB
-
memory/3608-32-0x00000000005F0000-0x00000000005FE000-memory.dmpFilesize
56KB
-
memory/3608-23-0x0000000000620000-0x000000000062E000-memory.dmpFilesize
56KB
-
memory/3608-28-0x0000000000F60000-0x0000000000F70000-memory.dmpFilesize
64KB
-
memory/3608-27-0x0000000000620000-0x000000000062E000-memory.dmpFilesize
56KB
-
memory/4256-30-0x0000000000570000-0x0000000000590000-memory.dmpFilesize
128KB
-
memory/4256-31-0x00000000005D0000-0x00000000005DE000-memory.dmpFilesize
56KB
-
memory/4256-13-0x0000000000610000-0x0000000000620000-memory.dmpFilesize
64KB
-
memory/4256-12-0x00000000005D0000-0x00000000005DE000-memory.dmpFilesize
56KB
-
memory/4256-11-0x0000000000600000-0x000000000060E000-memory.dmpFilesize
56KB
-
memory/4256-7-0x0000000000600000-0x000000000060E000-memory.dmpFilesize
56KB
-
memory/4260-15-0x00000000014D0000-0x00000000014DE000-memory.dmpFilesize
56KB
-
memory/4260-20-0x0000000001330000-0x000000000133E000-memory.dmpFilesize
56KB
-
memory/4260-21-0x00000000014E0000-0x00000000014F0000-memory.dmpFilesize
64KB
-
memory/4260-29-0x0000000001330000-0x000000000133E000-memory.dmpFilesize
56KB
-
memory/4260-19-0x00000000014D0000-0x00000000014DE000-memory.dmpFilesize
56KB
-
memory/4336-0-0x0000000000B90000-0x0000000000B9E000-memory.dmpFilesize
56KB
-
memory/4336-14-0x0000000000B90000-0x0000000000B9E000-memory.dmpFilesize
56KB
-
memory/4336-6-0x0000000000BD0000-0x0000000000BE0000-memory.dmpFilesize
64KB
-
memory/4336-5-0x0000000000BC0000-0x0000000000BCE000-memory.dmpFilesize
56KB
-
memory/4336-1-0x0000000000BC0000-0x0000000000BCE000-memory.dmpFilesize
56KB