Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 19:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
Resource
win7-20240215-en
9 signatures
150 seconds
General
-
Target
648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe
-
Size
136KB
-
MD5
648fdc19f6c9edca30a8f9a756234699
-
SHA1
321f822bb486dccfad216ff2b2a40e4112637a4f
-
SHA256
52d4dafbcfae960f9c56c22dd3013b33747410cc14d384ae26caaae26f7e74c5
-
SHA512
ae2a2a284424412d9d85d55beddc3d90bf8b193f625accf779e04360f73857d96dcd39d228d9e6a3004da1c52bc0afe3b291976244364f612819132230186c32
-
SSDEEP
3072:Fkh20/12+YvN69kc10oF+RDINn6j9DyIK3cIRV0x2IY:Fkh20/12+Y8Kc13kDYn6jdyIK3PV0J
Malware Config
Signatures
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 148.103.9.108 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\PowerCfg 648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\PowerCfg 648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Control Panel\PowerCfg wordpadidl.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\PowerCfg wordpadidl.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1592 648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe 1592 648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe 4592 648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe 4592 648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe 3896 wordpadidl.exe 3896 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe 3948 wordpadidl.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4592 648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1592 wrote to memory of 4592 1592 648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe 84 PID 1592 wrote to memory of 4592 1592 648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe 84 PID 1592 wrote to memory of 4592 1592 648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe 84 PID 3896 wrote to memory of 3948 3896 wordpadidl.exe 95 PID 3896 wrote to memory of 3948 3896 wordpadidl.exe 95 PID 3896 wrote to memory of 3948 3896 wordpadidl.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe"1⤵
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\648fdc19f6c9edca30a8f9a756234699_JaffaCakes118.exe"2⤵
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:4592
-
-
C:\Windows\SysWOW64\wordpadidl.exe"C:\Windows\SysWOW64\wordpadidl.exe"1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\wordpadidl.exe"C:\Windows\SysWOW64\wordpadidl.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3948
-