Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 14:40
Static task
static1
Behavioral task
behavioral1
Sample
06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe
-
Size
494KB
-
MD5
06eac92f6b9f34702c3d3bd2bd9555e7
-
SHA1
390bc1b081fcc49ec8b4f5839f7b289e582027c8
-
SHA256
75ddb6531734dac744769578fb12c7be3a37a090716a14676122ecccc19328d6
-
SHA512
125b3c361c2d89bb6eaa5c95ee822268612c0d85341667a9ff53df18451723f995f4445c498da94f7521125a6cfb852f5ffd8c1efc933b9e3f607ba1c4f053c1
-
SSDEEP
6144:8ujkkw+rbv1L7AESgXqvbvewud9Tsh+xpYT7diMRVg6D098gWNlPTGQQm6agrdo9:8F+/B/Sxz2vpm7diMRaCNtTirdorJ/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1280 lsass.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\lsass.exe 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe File opened for modification C:\Windows\lsass.exe 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe File created C:\Windows\GUOCYOKl.BAT 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2320 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe Token: SeDebugPrivilege 1280 lsass.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1280 lsass.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1280 wrote to memory of 3972 1280 lsass.exe 95 PID 1280 wrote to memory of 3972 1280 lsass.exe 95 PID 2320 wrote to memory of 2524 2320 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe 96 PID 2320 wrote to memory of 2524 2320 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe 96 PID 2320 wrote to memory of 2524 2320 06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06eac92f6b9f34702c3d3bd2bd9555e7_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\GUOCYOKl.BAT2⤵PID:2524
-
-
C:\Windows\lsass.exeC:\Windows\lsass.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:3972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵PID:3048
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218B
MD501e30256c4b18e4eb53ab1f6d4ad9683
SHA1450a08357c2774faadf58bf2a2c5280b17865994
SHA256162553d33363b4da8ebf32823247727a0fb7c198e28f9d50e7ec81ebd9209267
SHA5124a78426f8ba4b63b3add0b834e928c315a023237a81588e699f6cb6062c2dd50517a1605a6d05b505a24bf9e31c272f9e64e934aac49ca39e651479bee075e57
-
Filesize
494KB
MD506eac92f6b9f34702c3d3bd2bd9555e7
SHA1390bc1b081fcc49ec8b4f5839f7b289e582027c8
SHA25675ddb6531734dac744769578fb12c7be3a37a090716a14676122ecccc19328d6
SHA512125b3c361c2d89bb6eaa5c95ee822268612c0d85341667a9ff53df18451723f995f4445c498da94f7521125a6cfb852f5ffd8c1efc933b9e3f607ba1c4f053c1