Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 23:06
Behavioral task
behavioral1
Sample
8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe
Resource
win7-20240215-en
windows7-x64
6 signatures
150 seconds
General
-
Target
8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
8fc013bb379e00fb614142ceaa52fffe
-
SHA1
b4ac24b4e934a4339c2804dce93265ae459a4762
-
SHA256
613496e0190d0df061bb4bb9519721dba25cc0daed1bd5b535f7e9a9bc33d836
-
SHA512
ee79514d095e62046c0ad071e0521e8efa31cc1da095c202b0c74018270bdeefce313c064d08562e16f9417548bf0f22c485ebe9a002ed13414e429984d78e3d
-
SSDEEP
24576:rfEY7K9Flox2jGbgqZFZdoJb5AtatqUDzjveEolEVAOfox:rTAW2MBZWPHRzjvCpOfC
Malware Config
Signatures
-
BitRAT payload 6 IoCs
resource yara_rule behavioral2/memory/1244-0-0x0000000000400000-0x0000000000826000-memory.dmp family_bitrat behavioral2/memory/1244-3-0x0000000000400000-0x0000000000826000-memory.dmp family_bitrat behavioral2/memory/1244-6-0x0000000000400000-0x0000000000826000-memory.dmp family_bitrat behavioral2/memory/1244-11-0x0000000000400000-0x0000000000826000-memory.dmp family_bitrat behavioral2/memory/1244-16-0x0000000000400000-0x0000000000826000-memory.dmp family_bitrat behavioral2/memory/1244-20-0x0000000000400000-0x0000000000826000-memory.dmp family_bitrat -
resource yara_rule behavioral2/memory/1244-0-0x0000000000400000-0x0000000000826000-memory.dmp upx behavioral2/memory/1244-3-0x0000000000400000-0x0000000000826000-memory.dmp upx behavioral2/memory/1244-6-0x0000000000400000-0x0000000000826000-memory.dmp upx behavioral2/memory/1244-11-0x0000000000400000-0x0000000000826000-memory.dmp upx behavioral2/memory/1244-16-0x0000000000400000-0x0000000000826000-memory.dmp upx behavioral2/memory/1244-20-0x0000000000400000-0x0000000000826000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1244 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe 1244 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe 1244 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe 1244 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1244 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1244 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe 1244 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1244