Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14/06/2024, 07:39
Static task
static1
Behavioral task
behavioral1
Sample
a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe
-
Size
418KB
-
MD5
a89009b3265079816bda3849bf7a0f46
-
SHA1
bd9201745c4172ee397a651c27b02567425db698
-
SHA256
202d948994aaa756189fb39d9159683ec7a00d3a68f775146f3d541980052675
-
SHA512
8ac84bed8597b5f287a1449e8920c1e00ca355b136e90ec1f05183d324a56eb0474abb2b1b6810519ee6fa39196a60cd41f073c833479a2a5cef3fb2513adf0e
-
SSDEEP
6144:I/QiQP+CL6lhU7dXYwQfEyLqrNbxXyVlcG40eAw38o85XOC8T/FUyKGpM9CITU/o:QQiG+Cn7dXYwEZL2ulcGpX98iR4o
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4888 a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp -
Loads dropped DLL 2 IoCs
pid Process 4888 a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp 4888 a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Sophos\Sophos Anti-Virus a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\K7 Computing\K7TotalSecurity a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp -
pid Process 1088 powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1088 powershell.exe 1088 powershell.exe 1088 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1088 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3080 wrote to memory of 4888 3080 a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe 91 PID 3080 wrote to memory of 4888 3080 a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe 91 PID 3080 wrote to memory of 4888 3080 a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe 91 PID 4888 wrote to memory of 1548 4888 a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp 98 PID 4888 wrote to memory of 1548 4888 a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp 98 PID 4888 wrote to memory of 1548 4888 a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp 98 PID 1548 wrote to memory of 1088 1548 cmd.exe 100 PID 1548 wrote to memory of 1088 1548 cmd.exe 100 PID 1548 wrote to memory of 1088 1548 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\is-HB7BP.tmp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp"C:\Users\Admin\AppData\Local\Temp\is-HB7BP.tmp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.tmp" /SL5="$80090,139007,56832,C:\Users\Admin\AppData\Local\Temp\a89009b3265079816bda3849bf7a0f46_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-H4KJP.tmp\ex.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1960,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4040 /prefetch:81⤵PID:1020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1B
MD568b329da9893e34099c7d8ad5cb9c940
SHA1adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA25601ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09
-
Filesize
786B
MD54a1f8c2d68419edeab43532dddfd0c0b
SHA1665ced8aae9f15182eb6946c2d5a3f479d3c2e65
SHA25688ee4e950e7b87d97757cb0c56dacf74c70f68c6ba622daf16edb9ac0fbd5beb
SHA5127ba03f42b729c25435cb2186291ed648cfafac0658e7293291069a7137f920c866f3078b410b60011ae5286434fb7e08b6bae4873e02a64122444e6c7ed738c5
-
Filesize
201KB
MD5fda896f0acbb98fa2fd8763f7e0a7b7d
SHA187520c200aa1ee03fa627073053b9887147b2975
SHA2562182268006a950cb31f425e4ce8aa31c9b4d5f7f84dd09e8a854710ddde31b0e
SHA5122dfc45451a3128ff87910c1cfca91556e69f4cf367b9072e32e0af1676eba1a8c473e061e78971e910ca6d6889ad9b1aca2a4c56186e7003d200fe5f57f39550
-
Filesize
694KB
MD586462bc76b244bac73ee6ffe47354be2
SHA1c66462dc233887f86f9e05ee36086de4edfd99b6
SHA256e3da91f01ffb504352b5e8237a5465d0f492a750a7c9a6cef22b3a5d08230fc9
SHA512c0cbe3a39c2fd18e257500faacafd9fc8913221278e492b355acf64e6d97ff622a46a325a5c18cee5843a1660fda64dbc3172fac642de77ed12321085d67cb65