Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 00:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe
Resource
win7-20240508-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe
Resource
win10v2004-20240508-en
5 signatures
150 seconds
General
-
Target
8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe
-
Size
426KB
-
MD5
8c5ff664440d0134f317ebbdebca6f7f
-
SHA1
f5454ed8399d7024a45d51c20aa5be3bfb775785
-
SHA256
b79248198924cac145580c98378324fe16ab319e5da4d1e7a1b379d375f0b410
-
SHA512
2ddbee7e12a9df9032aae61dc03cbf407bbba9fdcc66c9d5dea042e05165eba8388aa08e3d8e161be25b70152c8dec2c495ffd95a2c38efd694f4df48ab8ec3f
-
SSDEEP
12288:qZ6ETUFctxIDSXXKpZYnXcyu9UPEmSQ7pB/Qd41gG:qwEYLDSn1Xcysr6B/yG
Score
5/10
Malware Config
Signatures
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1012-1-0x0000000140000000-0x000000014010A000-memory.dmp autoit_exe behavioral2/memory/4284-2-0x0000000140000000-0x000000014010A000-memory.dmp autoit_exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1012 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe 1012 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe 1012 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe 1012 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe 1012 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe 1012 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe 4284 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe 4284 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe 4284 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe 4284 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1012 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 1012 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1012 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4284 wrote to memory of 4000 4284 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe 86 PID 4284 wrote to memory of 4000 4284 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe 86 PID 4000 wrote to memory of 4156 4000 cmd.exe 87 PID 4000 wrote to memory of 4156 4000 cmd.exe 87 PID 4156 wrote to memory of 3940 4156 net.exe 88 PID 4156 wrote to memory of 3940 4156 net.exe 88 PID 4284 wrote to memory of 1760 4284 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe 92 PID 4284 wrote to memory of 1760 4284 8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\8c5ff664440d0134f317ebbdebca6f7f_JaffaCakes118.exe /stage2 /parent 10122⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SYSTEM32\cmd.execmd /c net start trustedinstaller >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\system32\net.exenet start trustedinstaller4⤵
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start trustedinstaller5⤵PID:3940
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵PID:1760
-
-