Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 10:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe
Resource
win7-20240419-en
7 signatures
150 seconds
General
-
Target
b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe
-
Size
136KB
-
MD5
b82b6b7a48bf4e049cb4c338b18921eb
-
SHA1
41b9ee9deac56d3ad5ca11ca2db408ea67567b93
-
SHA256
c7c64507d9df7bc28d251132cb309b54b86e939d5e2e21894e0573e9a1ec9ddc
-
SHA512
ed02bf9522a1ff367a68103020242c623520809f168fa2d46202f26e19022bfc5f291cda08dc030e57ae5d7aa7fb356ce71ca74cbf506f97e9fbcb0e60cc6d5b
-
SSDEEP
1536:ylQ1YOZpCGwKrKNDiVTzHvHTmaNBzkRNwmX2IlpI0cuF/2:h1YMpCGw5pqSaNBzrox2
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
pixswim.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 pixswim.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE pixswim.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies pixswim.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 pixswim.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
pixswim.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix pixswim.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" pixswim.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" pixswim.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exeb82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exepixswim.exepixswim.exepid process 216 b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe 216 b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe 2132 b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe 2132 b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe 1712 pixswim.exe 1712 pixswim.exe 1680 pixswim.exe 1680 pixswim.exe 1680 pixswim.exe 1680 pixswim.exe 1680 pixswim.exe 1680 pixswim.exe 1680 pixswim.exe 1680 pixswim.exe 1680 pixswim.exe 1680 pixswim.exe 1680 pixswim.exe 1680 pixswim.exe 1680 pixswim.exe 1680 pixswim.exe 1680 pixswim.exe 1680 pixswim.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exepid process 2132 b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exepixswim.exedescription pid process target process PID 216 wrote to memory of 2132 216 b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe PID 216 wrote to memory of 2132 216 b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe PID 216 wrote to memory of 2132 216 b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe PID 1712 wrote to memory of 1680 1712 pixswim.exe pixswim.exe PID 1712 wrote to memory of 1680 1712 pixswim.exe pixswim.exe PID 1712 wrote to memory of 1680 1712 pixswim.exe pixswim.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Users\Admin\AppData\Local\Temp\b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b82b6b7a48bf4e049cb4c338b18921eb_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2132
-
C:\Windows\SysWOW64\pixswim.exe"C:\Windows\SysWOW64\pixswim.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\pixswim.exe"C:\Windows\SysWOW64\pixswim.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1680