Analysis
-
max time kernel
51s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 13:13
Static task
static1
Behavioral task
behavioral1
Sample
a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe
-
Size
3.5MB
-
MD5
a5b7f0a8146d3d770e25c9e05c1fe51b
-
SHA1
f2bcf6db4cc162e2f21a90b1a0c47f281f4e2de6
-
SHA256
100d67245436a91cf74d6cbdb370fb88a11d6f6410333c082638b8ce979653ba
-
SHA512
66f6d133729ce9f1f6b97a7b7c60b51949455d3cd0351f0d13edfd7873538564df3d58a5cc5e958a88d5ebb0336e6d5eec5474fbf9f709aa4896aaf2fd60338d
-
SSDEEP
98304:t3bobVkwiXFlJboUaQXK1XR0ZNSHm8GeRLfWFZzr:Bbeirfa1GZN+PhLIZ/
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
drvprosetup.exedrvprosetup.tmppid process 5012 drvprosetup.exe 5008 drvprosetup.tmp -
Loads dropped DLL 2 IoCs
Processes:
drvprosetup.tmppid process 5008 drvprosetup.tmp 5008 drvprosetup.tmp -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
drvprosetup.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 drvprosetup.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString drvprosetup.tmp -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exedrvprosetup.exedescription pid process target process PID 3856 wrote to memory of 5012 3856 a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe drvprosetup.exe PID 3856 wrote to memory of 5012 3856 a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe drvprosetup.exe PID 3856 wrote to memory of 5012 3856 a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe drvprosetup.exe PID 5012 wrote to memory of 5008 5012 drvprosetup.exe drvprosetup.tmp PID 5012 wrote to memory of 5008 5012 drvprosetup.exe drvprosetup.tmp PID 5012 wrote to memory of 5008 5012 drvprosetup.exe drvprosetup.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\drvprosetup.exeC:\Users\Admin\AppData\Local\Temp\\drvprosetup.exe /VERYSILENT2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\is-HSG3S.tmp\drvprosetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-HSG3S.tmp\drvprosetup.tmp" /SL5="$B0064,2744501,85504,C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:5008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\drvprosetup.exeFilesize
3.1MB
MD53107c28da15cc8db52ecaeb41e92fa27
SHA19498f3281c0b79a8f051ca9aeb0d6132dcf0ca0f
SHA256e9318226bff1cf3225c26f0bde46ad08f2a745fe9de55153a41c7bf7eb194325
SHA5128b2d0c2744584899ac8cc15786dd13b977958c4d3c8f2cb50b7afeb52b0a6f647bf8b20ab19d5d3b562d8804f92b8fb5828f971124b4e089c0858f0a6ad1a2b8
-
C:\Users\Admin\AppData\Local\Temp\is-C7JB6.tmp\DrvProHelper.dllFilesize
1.3MB
MD5dfd23a69f1a7f5385eafafde8f5582f4
SHA1e578e02964582382d4cf90ac003bffa9dcd1dd30
SHA256701db9616b8ca5f24694a3b9fde8b96b08fbbe14871d9f7eeb721ff29d3259d2
SHA512740dda51de539a6c889fecfeeb157ae3ae706e9b6c59931c715ec4a660420b6667b2e01954b511ae872164bdb90be887cf3beddfb2fafad3ee945c92ecf6b174
-
C:\Users\Admin\AppData\Local\Temp\is-HSG3S.tmp\drvprosetup.tmpFilesize
1.1MB
MD591c38c395631d57254356e90b9a6e554
SHA1cbe8ae15ec5c8a392b00ddbc71cf92eddd5645b4
SHA256e9804fa0e9a0b249a69539bf9ba3f2df95648f56676a61b8988e6648308ae83d
SHA5129f95567ceb618167899d954387771312b4895d03dcf65e5402c284af50e1ac1ec5d452a8069528a4761894dba02be7a97849be01626d1d688dc4059abf65f119
-
memory/5008-18-0x0000000003360000-0x00000000034AE000-memory.dmpFilesize
1.3MB
-
memory/5008-9-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/5008-22-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/5008-23-0x0000000003360000-0x00000000034AE000-memory.dmpFilesize
1.3MB
-
memory/5008-25-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/5008-27-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/5008-32-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/5012-5-0x0000000000401000-0x0000000000412000-memory.dmpFilesize
68KB
-
memory/5012-3-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/5012-21-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/5012-34-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB