Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 21:18
Static task
static1
Behavioral task
behavioral1
Sample
6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe
-
Size
207KB
-
MD5
6b1a55d07f9da1278d95263da7379a04
-
SHA1
a8a3a79284d65470ec7551ced9f1efb2f12ede33
-
SHA256
5eb04aa52a362039ab1dcaa0375179fb77accc4436b52d34098dc16f7ac20bbe
-
SHA512
db89c98a7b8fbfbdf27ee2520595a257914e1a2ac4a2bcdbbb3ac54d13a52c9de3f216365a57202ec7453fea4b9954e95f94ce9d4dfb90eda19f1fd12fbe34c3
-
SSDEEP
3072:wtK8sN3+yM6f0tH5KWR8iIKyVppK3kQIzltJ0WZGvZxiCcWMKj1NPjeV:wo5MyStjRDybMkQAovZx+bG1Ng
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
vscwab.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies vscwab.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 vscwab.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 vscwab.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE vscwab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
vscwab.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix vscwab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" vscwab.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" vscwab.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
vscwab.exepid process 1292 vscwab.exe 1292 vscwab.exe 1292 vscwab.exe 1292 vscwab.exe 1292 vscwab.exe 1292 vscwab.exe 1292 vscwab.exe 1292 vscwab.exe 1292 vscwab.exe 1292 vscwab.exe 1292 vscwab.exe 1292 vscwab.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exepid process 1208 6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exevscwab.exedescription pid process target process PID 1224 wrote to memory of 1208 1224 6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe 6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe PID 1224 wrote to memory of 1208 1224 6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe 6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe PID 1224 wrote to memory of 1208 1224 6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe 6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe PID 1588 wrote to memory of 1292 1588 vscwab.exe vscwab.exe PID 1588 wrote to memory of 1292 1588 vscwab.exe vscwab.exe PID 1588 wrote to memory of 1292 1588 vscwab.exe vscwab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\6b1a55d07f9da1278d95263da7379a04_JaffaCakes118.exe--811014462⤵
- Suspicious behavior: RenamesItself
PID:1208
-
C:\Windows\SysWOW64\vscwab.exe"C:\Windows\SysWOW64\vscwab.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\vscwab.exe--259d1ea42⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1208-4-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1208-8-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1224-0-0x0000000002040000-0x000000000205B000-memory.dmpFilesize
108KB
-
memory/1224-2-0x0000000002040000-0x000000000205B000-memory.dmpFilesize
108KB
-
memory/1224-3-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1292-9-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1292-10-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1292-12-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1292-13-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1588-5-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB