Analysis
-
max time kernel
134s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 17:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
95a3fc6b59f410da7cb82cfad6f8e25f_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
6 signatures
150 seconds
General
-
Target
95a3fc6b59f410da7cb82cfad6f8e25f_JaffaCakes118.exe
-
Size
534KB
-
MD5
95a3fc6b59f410da7cb82cfad6f8e25f
-
SHA1
d1f9e49e71835454b550e5191120d7455c8cbe6f
-
SHA256
4494a60d6eb89d80d93eb50682240a69ee88e21ceae5f15639a93c912db9299d
-
SHA512
06974142a0ce5681a00df2f23ef7c07a3116115cb1bcefbc377faed0495460c962d3d0665e20653a37323de61ae8722c22a7b1c69761d2accc8177eb164299b2
-
SSDEEP
12288:btC61LZVEAiDQdr2fAy6/tN+WtDAAxxuJaqE8dZftpJfI7FGIE/d+C8YAJBlrH1E:N+AiM52fh6/tN+WtDAAxxuJaqE8dZftG
Malware Config
Extracted
Family
limerat
Wallets
359Z6KxMenwvgkA7vpGeBtinJPTj5raZz8
Attributes
-
aes_key
arglobal
-
antivm
false
-
c2_url
https://pastebin.com/raw/CV5RHE9G
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.url 95a3fc6b59f410da7cb82cfad6f8e25f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1680 95a3fc6b59f410da7cb82cfad6f8e25f_JaffaCakes118.exe 1680 95a3fc6b59f410da7cb82cfad6f8e25f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1680 95a3fc6b59f410da7cb82cfad6f8e25f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1680 wrote to memory of 1380 1680 95a3fc6b59f410da7cb82cfad6f8e25f_JaffaCakes118.exe 82 PID 1680 wrote to memory of 1380 1680 95a3fc6b59f410da7cb82cfad6f8e25f_JaffaCakes118.exe 82 PID 1680 wrote to memory of 1380 1680 95a3fc6b59f410da7cb82cfad6f8e25f_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\95a3fc6b59f410da7cb82cfad6f8e25f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\95a3fc6b59f410da7cb82cfad6f8e25f_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:1380
-