Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 07:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe
Resource
win7-20240220-en
7 signatures
150 seconds
General
-
Target
668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe
-
Size
187KB
-
MD5
668d1d7c39af8906ed862ae9ff645a63
-
SHA1
35644070d27bde9f87a5552becc4b18d017d9faf
-
SHA256
a1a6a9070efc72cd197cb8d27342f0cd6ba8f15e706b308f164fcafd6f561258
-
SHA512
b5f0ad76de4110445fb978c13c9d1c76676ff541f5d0721b2303765c44ac5bb2037e92914e5d0dae8c7dc16c8fe5bb376e17e3e039df6383d7a9374472b13a2e
-
SSDEEP
3072:2D8qMHPIFIhK2kwVP5YdShdXlkkaK/PngcfS3CYo7RWa5A+:2DhMHPThK2x5WSXl6K/lS3CdY
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE swimcrash.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies swimcrash.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 swimcrash.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 swimcrash.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix swimcrash.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" swimcrash.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" swimcrash.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4176 668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe 4176 668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe 4664 668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe 4664 668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe 2896 swimcrash.exe 2896 swimcrash.exe 3732 swimcrash.exe 3732 swimcrash.exe 3732 swimcrash.exe 3732 swimcrash.exe 3732 swimcrash.exe 3732 swimcrash.exe 3732 swimcrash.exe 3732 swimcrash.exe 3732 swimcrash.exe 3732 swimcrash.exe 3732 swimcrash.exe 3732 swimcrash.exe 3732 swimcrash.exe 3732 swimcrash.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4664 668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4176 wrote to memory of 4664 4176 668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe 91 PID 4176 wrote to memory of 4664 4176 668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe 91 PID 4176 wrote to memory of 4664 4176 668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe 91 PID 2896 wrote to memory of 3732 2896 swimcrash.exe 93 PID 2896 wrote to memory of 3732 2896 swimcrash.exe 93 PID 2896 wrote to memory of 3732 2896 swimcrash.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:4664
-
-
C:\Windows\SysWOW64\swimcrash.exe"C:\Windows\SysWOW64\swimcrash.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\swimcrash.exe"C:\Windows\SysWOW64\swimcrash.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:1980