Analysis
-
max time kernel
137s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 17:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
Resource
win7-20240508-en
7 signatures
150 seconds
General
-
Target
640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe
-
Size
102KB
-
MD5
640f2a05a264b6897ed17f0edb228ed4
-
SHA1
074b1a2ad44bd169cbab2454bd5ddc9ab1194ee2
-
SHA256
f478208ceeb20cc093d38b1c1a670ae535ba3a6b8b2b0cf68f9f39ab1208531a
-
SHA512
2cb7bcc943726422d4e0121c4a05256ba371a412094fb8bc6172752e46181ff12e426d54ea4ef8a8f1903842533f9d455db28a3afb968fda4031d069e5df1dad
-
SSDEEP
3072:pWzSlLzc1hIOBWL/FWes1qqdPPqDRR2GdF5cb:pflGrMLtEDnqDz7d
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 WarningSnippets.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE WarningSnippets.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies WarningSnippets.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 WarningSnippets.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix WarningSnippets.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" WarningSnippets.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" WarningSnippets.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3608 WarningSnippets.exe 3608 WarningSnippets.exe 3608 WarningSnippets.exe 3608 WarningSnippets.exe 3608 WarningSnippets.exe 3608 WarningSnippets.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4256 640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4336 wrote to memory of 4256 4336 640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe 82 PID 4336 wrote to memory of 4256 4336 640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe 82 PID 4336 wrote to memory of 4256 4336 640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe 82 PID 4260 wrote to memory of 3608 4260 WarningSnippets.exe 93 PID 4260 wrote to memory of 3608 4260 WarningSnippets.exe 93 PID 4260 wrote to memory of 3608 4260 WarningSnippets.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\640f2a05a264b6897ed17f0edb228ed4_JaffaCakes118.exe"2⤵
- Suspicious behavior: RenamesItself
PID:4256
-
-
C:\Windows\SysWOW64\WarningSnippets.exeC:\Windows\SysWOW64\WarningSnippets.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\WarningSnippets.exe"C:\Windows\SysWOW64\WarningSnippets.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3608
-