Analysis
-
max time kernel
132s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 21:48
Static task
static1
Behavioral task
behavioral1
Sample
68bfa1b82dc0e2de10d0cf8551938dea_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
68bfa1b82dc0e2de10d0cf8551938dea_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
68bfa1b82dc0e2de10d0cf8551938dea_JaffaCakes118.exe
-
Size
56KB
-
MD5
68bfa1b82dc0e2de10d0cf8551938dea
-
SHA1
0cf43f74f078fa4af30f589101a59c9860481b30
-
SHA256
a3667153a6322fb8d4cf8869c094a05e995e2954fda833fe14304837ed4fd0bd
-
SHA512
a3e375772eab6b7f8eeedceb54f4e1d041caf3dc1cde03d928e3101de37352082b37ea925fcffe7f46132fa146a5e6db042ac0b0093ac1d8cc00dca9218e22dc
-
SSDEEP
768:j5QGuIOFwKTMAj3cdXhwlJsYd+mq8ywmgiR+hYHAGQ:VsIOFwKT/BlJsYFq8ye5WQ
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
sysprep.exedescription ioc process File opened for modification C:\Windows\system32\sysprep\Panther\setuperr.log sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\diagerr.xml sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\diagwrn.xml sysprep.exe File opened for modification C:\Windows\system32\sysprep\Panther\setupact.log sysprep.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
68bfa1b82dc0e2de10d0cf8551938dea_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 2720 wrote to memory of 4844 2720 68bfa1b82dc0e2de10d0cf8551938dea_JaffaCakes118.exe cmd.exe PID 2720 wrote to memory of 4844 2720 68bfa1b82dc0e2de10d0cf8551938dea_JaffaCakes118.exe cmd.exe PID 4844 wrote to memory of 2348 4844 cmd.exe wusa.exe PID 4844 wrote to memory of 2348 4844 cmd.exe wusa.exe PID 2720 wrote to memory of 3904 2720 68bfa1b82dc0e2de10d0cf8551938dea_JaffaCakes118.exe cmd.exe PID 2720 wrote to memory of 3904 2720 68bfa1b82dc0e2de10d0cf8551938dea_JaffaCakes118.exe cmd.exe PID 3904 wrote to memory of 588 3904 cmd.exe sysprep.exe PID 3904 wrote to memory of 588 3904 cmd.exe sysprep.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\68bfa1b82dc0e2de10d0cf8551938dea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\68bfa1b82dc0e2de10d0cf8551938dea_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\cmd.exe/c wusa.exe C:\Users\Admin\AppData\Local\Temp\CryptBase.dll.cab /quiet /extract:C:\Windows\system32\sysprep\2⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\system32\wusa.exewusa.exe C:\Users\Admin\AppData\Local\Temp\CryptBase.dll.cab /quiet /extract:C:\Windows\system32\sysprep\3⤵PID:2348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\SysNative\cmd.exe /c C:\Windows\system32\sysprep\sysprep.exe C:\Users\Admin\AppData\Local\Temp\gupdate.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\system32\sysprep\sysprep.exeC:\Windows\system32\sysprep\sysprep.exe C:\Users\Admin\AppData\Local\Temp\gupdate.exe3⤵
- Drops file in System32 directory
PID:588
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5ab9a743d48383819627ab32d95593f29
SHA1d780ac540ca322b0b89f226867c18c0b7580b84b
SHA256a98826349e2ff22e00ba09a4a31eb133f0388c2a58a8886f26a525207ebe1aca
SHA512dafdfec1edad453200db36f1d317e358b4978141634a6f1131a88bf2ab0ecfbbed07c5123625cfc6d9b606a7a99a5f0e2290172e872fdcd23de7e7a84ef0905d