Analysis
-
max time kernel
141s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 14:24
Static task
static1
Behavioral task
behavioral1
Sample
06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe
-
Size
154KB
-
MD5
06cc2bf552ab081d6ed474fd13fb250d
-
SHA1
ac25b750a6e6ef426a47059e857e4507255c6fd0
-
SHA256
4778db65938e7531e308dd893851c71db03dcca57858d14156d4ceaa2c11b39e
-
SHA512
1f2fab4e16614fe74f4eb22221d75779e835e563184e37957006d25bed14d9453c2fae083acbb4752977ba18d9bafa42b6e67601188614122209d31f678f28bd
-
SSDEEP
3072:M3Pnai+j6RmtzBSfQgcbbrMbvT0q8O1cZPzQ7IXMBc+AMP+QfQEhxFyVU7UojkdJ:Myj6ezBCQgywvP6bQ7yMP+DE827UBJ
Malware Config
Signatures
-
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\fsmgmt.dll 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeBackupPrivilege 2132 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe Token: SeRestorePrivilege 2132 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe Token: SeBackupPrivilege 2132 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe Token: SeRestorePrivilege 2132 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2132 wrote to memory of 3380 2132 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe 57 PID 2132 wrote to memory of 820 2132 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe 91 PID 2132 wrote to memory of 820 2132 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe 91 PID 2132 wrote to memory of 820 2132 06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe 91
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06cc2bf552ab081d6ed474fd13fb250d_JaffaCakes118.exe"2⤵
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DeleteMe.bat3⤵PID:820
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4412 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:81⤵PID:2780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
237B
MD5f51f5958745b17fdbd1c8868aa693a5e
SHA108dbb2be1ebfa9811901440fdec933789c33294c
SHA256225b48155d382d72fefcf065a13d951c4a9b09e909ee27c7b02a1cca97c15fe3
SHA512ab2de50155f20b75cb55c327ec27ce0ed37bb10823830c686c90f6279136bc284b6100012c440812b7f79a2b9e467d223b883e2d08e767cdecc17daa0e6b9c5e