Analysis
-
max time kernel
131s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 16:43
Static task
static1
Behavioral task
behavioral1
Sample
af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe
-
Size
264KB
-
MD5
af64b00ee58a65e1d0b0fe0d9295b018
-
SHA1
255faa0e50e104ae5f353e5516d9cdf9a8d61c79
-
SHA256
6d28339809a4e1e8cf45ab998568f777c2ad101c75f94c72461e8592ef581b98
-
SHA512
9b0e0405ef2e75079684547e39a510abae679b1d97015ab4a7d5e44a0e6bebe226ec4d71e25a2bb0a7e4c18c8c55cddac8615379b8b8801f5d970465529e0cc4
-
SSDEEP
1536:DuaWmy41frZbE5KLCX6kxCxRjFnYDdyrrQkATezKwXHfterq8:DuaWmyWfrZYX6kSEgrrQkA2KWFeH
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
quotashared.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 quotashared.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 quotashared.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE quotashared.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies quotashared.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
quotashared.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix quotashared.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" quotashared.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" quotashared.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exeaf64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exequotashared.exequotashared.exepid process 3912 af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe 3912 af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe 3464 af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe 3464 af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe 1824 quotashared.exe 1824 quotashared.exe 1664 quotashared.exe 1664 quotashared.exe 1664 quotashared.exe 1664 quotashared.exe 1664 quotashared.exe 1664 quotashared.exe 1664 quotashared.exe 1664 quotashared.exe 1664 quotashared.exe 1664 quotashared.exe 1664 quotashared.exe 1664 quotashared.exe 1664 quotashared.exe 1664 quotashared.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exepid process 3464 af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exequotashared.exedescription pid process target process PID 3912 wrote to memory of 3464 3912 af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe PID 3912 wrote to memory of 3464 3912 af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe PID 3912 wrote to memory of 3464 3912 af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe PID 1824 wrote to memory of 1664 1824 quotashared.exe quotashared.exe PID 1824 wrote to memory of 1664 1824 quotashared.exe quotashared.exe PID 1824 wrote to memory of 1664 1824 quotashared.exe quotashared.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\quotashared.exe"C:\Windows\SysWOW64\quotashared.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\quotashared.exe"C:\Windows\SysWOW64\quotashared.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1664-32-0x00000000004E0000-0x00000000004ED000-memory.dmpFilesize
52KB
-
memory/1664-27-0x00000000004E0000-0x00000000004ED000-memory.dmpFilesize
52KB
-
memory/1664-28-0x0000000000600000-0x0000000000610000-memory.dmpFilesize
64KB
-
memory/1824-15-0x00000000006B0000-0x00000000006BD000-memory.dmpFilesize
52KB
-
memory/1824-29-0x0000000000530000-0x000000000053D000-memory.dmpFilesize
52KB
-
memory/1824-20-0x0000000000530000-0x000000000053D000-memory.dmpFilesize
52KB
-
memory/1824-21-0x00000000006C0000-0x00000000006D0000-memory.dmpFilesize
64KB
-
memory/1824-19-0x00000000006B0000-0x00000000006BD000-memory.dmpFilesize
52KB
-
memory/3464-7-0x00000000005F0000-0x00000000005FD000-memory.dmpFilesize
52KB
-
memory/3464-12-0x00000000005E0000-0x00000000005ED000-memory.dmpFilesize
52KB
-
memory/3464-13-0x0000000000600000-0x0000000000610000-memory.dmpFilesize
64KB
-
memory/3464-11-0x00000000005F0000-0x00000000005FD000-memory.dmpFilesize
52KB
-
memory/3464-31-0x00000000005E0000-0x00000000005ED000-memory.dmpFilesize
52KB
-
memory/3464-30-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/3912-14-0x0000000000510000-0x000000000051D000-memory.dmpFilesize
52KB
-
memory/3912-4-0x0000000000520000-0x000000000052D000-memory.dmpFilesize
52KB
-
memory/3912-5-0x0000000000510000-0x000000000051D000-memory.dmpFilesize
52KB
-
memory/3912-6-0x0000000000530000-0x0000000000540000-memory.dmpFilesize
64KB
-
memory/3912-0-0x0000000000520000-0x000000000052D000-memory.dmpFilesize
52KB