Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 00:56
Static task
static1
Behavioral task
behavioral1
Sample
656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe
Resource
win7-20240508-en
8 signatures
150 seconds
General
-
Target
656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe
-
Size
107KB
-
MD5
656e1f70891e4a2c77a1f58cb4446a83
-
SHA1
4d2e950535237f92aabf712863c7a6f00d93d17f
-
SHA256
ddbc8b5d72af93b39727f2a26efae6aca2127b933f600c6213435a91542d0ed0
-
SHA512
8e707d3b20b17c611436e098debd8b8602dd19a51d6fbeebd090f6bed7ef874c9e885c75fe95f09ecaa112542bc9c9abb11ebd5b9cc5427386047d3a46913f7e
-
SSDEEP
1536:vvA3k5x9zTF9V1GfCpq+j+zU8wrHvg+jjNVJAgUKT8W2cK3wy/8l/epYnHvIqvIM:Fx9PrbRrH/jhVJAzKTCx37s/fnA/aSg
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE licsprompt.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies licsprompt.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 licsprompt.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 licsprompt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix licsprompt.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" licsprompt.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" licsprompt.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4428 licsprompt.exe 4428 licsprompt.exe 4428 licsprompt.exe 4428 licsprompt.exe 4428 licsprompt.exe 4428 licsprompt.exe 4428 licsprompt.exe 4428 licsprompt.exe 4428 licsprompt.exe 4428 licsprompt.exe 4428 licsprompt.exe 4428 licsprompt.exe 4428 licsprompt.exe 4428 licsprompt.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1836 656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2432 wrote to memory of 1836 2432 656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe 84 PID 2432 wrote to memory of 1836 2432 656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe 84 PID 2432 wrote to memory of 1836 2432 656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe 84 PID 4356 wrote to memory of 4428 4356 licsprompt.exe 96 PID 4356 wrote to memory of 4428 4356 licsprompt.exe 96 PID 4356 wrote to memory of 4428 4356 licsprompt.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe--6a9ac4fd2⤵
- Suspicious behavior: RenamesItself
PID:1836
-
-
C:\Windows\SysWOW64\licsprompt.exe"C:\Windows\SysWOW64\licsprompt.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\licsprompt.exe--14e15ea32⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4428
-