Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 14:30
Static task
static1
Behavioral task
behavioral1
Sample
06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe
-
Size
518KB
-
MD5
06d798549154c28be78ce9f4074585c9
-
SHA1
fdf04f3277ce3c3eced17d679948e7df7a4f756a
-
SHA256
ad9b48bb70a715e82d4a7c133101400c38c7efac78ae82738cbcaba81f6c58a9
-
SHA512
3ff86ec631987b912ee7cf6d7d3f2116553d61da2e752e5501ebeb515fa318ef776a68a47be9ac65f793332d2151a165871aa67440dec72198134e40e0c45bdb
-
SSDEEP
12288:+xFal5fCzEsRoCp95sRuk297Wv3Rr8d/Xagc67Zt9Usu3ZXcjuTq:+jaHgEpE9Iup76h8d/7c6JE3ZMjF
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3044 COMSER~1.EXE 4736 wowmap.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\wowmap.exe COMSER~1.EXE File opened for modification C:\Windows\wowmap.exe COMSER~1.EXE File created C:\Windows\GUOCYOKl.BAT COMSER~1.EXE -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wowmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" wowmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" wowmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" wowmap.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" wowmap.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3044 COMSER~1.EXE Token: SeDebugPrivilege 4736 wowmap.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4736 wowmap.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4004 wrote to memory of 3044 4004 06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe 81 PID 4004 wrote to memory of 3044 4004 06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe 81 PID 4004 wrote to memory of 3044 4004 06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe 81 PID 4736 wrote to memory of 4832 4736 wowmap.exe 83 PID 4736 wrote to memory of 4832 4736 wowmap.exe 83 PID 3044 wrote to memory of 708 3044 COMSER~1.EXE 84 PID 3044 wrote to memory of 708 3044 COMSER~1.EXE 84 PID 3044 wrote to memory of 708 3044 COMSER~1.EXE 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06d798549154c28be78ce9f4074585c9_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COMSER~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COMSER~1.EXE2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\GUOCYOKl.BAT3⤵PID:708
-
-
-
C:\Windows\wowmap.exeC:\Windows\wowmap.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:4832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
493KB
MD55956b1c78eaec57f148472e7066cedfe
SHA1dbca650c8541ee49f1b5f3bd80047c75a0555ec3
SHA256b38b59422075efcb463f44551b4e404a64530db264f2c2de7e451da5e32eaec7
SHA51246b43493d8182f9c8411dc3c8209b1e03b90297dff41997313f84d7a4594ad099854cf0ba13743ef6225ebffaba3fca1c5d96ed1d3dc932a9d3143c9bc7eb69d
-
Filesize
164B
MD5f76abc9f135f91db5e13f4f0e6e9c4c9
SHA16a92d6d71946eb32f50f350b65313e495630d0ce
SHA25687d2a6832c8431fac2a0cb3661ad3bb85c078754480b7b4c5087dfa6e476b448
SHA512e2ec636ea8f48f9e7918260274cc528d530198f91b070cbf324bf1e84d11e56102388d071c5fbe7982cf1ef42b571476a06e2368dcdc8a50fcc3adf029b3e8a5