b66b4590045c5e834b0c7e303e60162a79d29995b6f51e6889b15b744c03e631

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe
Size

21KB
MD5

0ebdd7332c60eff30d5df25f1848fb9c
SHA1

2e1eaf56fac198cf23daf6269673571fd5bde09a
SHA256

b66b4590045c5e834b0c7e303e60162a79d29995b6f51e6889b15b744c03e631
SHA512

55ace24000b6fcbee97600debebad2e67e21f351edb38422bf3bd3d61faca91e8655a51f6bc4b9e4a8d435965a6c1983dc0deba48e3bebe8bb9bb091eaec0cc1
SSDEEP

384:J6XsYVL3GPTmMbrPI8olZiw3lzdBqgV06fSSDaQYIg:QtVwCaPylzPqAxaLH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5008	wamn.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wamn.exe	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wamn.exe	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
652	taskkill.exe
1584	taskkill.exe
2824	taskkill.exe
936	taskkill.exe
4728	taskkill.exe
2984	taskkill.exe
3264	taskkill.exe
5016	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe
2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe
2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe
2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe
5008	wamn.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe
Token: SeDebugPrivilege	4728	taskkill.exe
Token: SeDebugPrivilege	5016	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	3264	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	2824	taskkill.exe
Token: SeDebugPrivilege	936	taskkill.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2944	2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe	82
PID 2656 wrote to memory of 2944	2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe	82
PID 2656 wrote to memory of 2944	2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe	82
PID 2656 wrote to memory of 732	2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe	83
PID 2656 wrote to memory of 732	2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe	83
PID 2656 wrote to memory of 732	2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe	83
PID 2656 wrote to memory of 4048	2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe	84
PID 2656 wrote to memory of 4048	2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe	84
PID 2656 wrote to memory of 4048	2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe	84
PID 2656 wrote to memory of 4312	2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe	85
PID 2656 wrote to memory of 4312	2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe	85
PID 2656 wrote to memory of 4312	2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe	85
PID 5008 wrote to memory of 540	5008	wamn.exe	91
PID 5008 wrote to memory of 540	5008	wamn.exe	91
PID 5008 wrote to memory of 540	5008	wamn.exe	91
PID 5008 wrote to memory of 3528	5008	wamn.exe	92
PID 5008 wrote to memory of 3528	5008	wamn.exe	92
PID 5008 wrote to memory of 3528	5008	wamn.exe	92
PID 5008 wrote to memory of 4104	5008	wamn.exe	93
PID 5008 wrote to memory of 4104	5008	wamn.exe	93
PID 5008 wrote to memory of 4104	5008	wamn.exe	93
PID 5008 wrote to memory of 4356	5008	wamn.exe	94
PID 5008 wrote to memory of 4356	5008	wamn.exe	94
PID 5008 wrote to memory of 4356	5008	wamn.exe	94
PID 2656 wrote to memory of 324	2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe	95
PID 2656 wrote to memory of 324	2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe	95
PID 2656 wrote to memory of 324	2656	0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe	95
PID 2944 wrote to memory of 4728	2944	cmd.exe	100
PID 2944 wrote to memory of 4728	2944	cmd.exe	100
PID 2944 wrote to memory of 4728	2944	cmd.exe	100
PID 4312 wrote to memory of 2984	4312	cmd.exe	101
PID 4312 wrote to memory of 2984	4312	cmd.exe	101
PID 4312 wrote to memory of 2984	4312	cmd.exe	101
PID 4356 wrote to memory of 3264	4356	cmd.exe	103
PID 4356 wrote to memory of 3264	4356	cmd.exe	103
PID 4356 wrote to memory of 3264	4356	cmd.exe	103
PID 4048 wrote to memory of 652	4048	cmd.exe	104
PID 4048 wrote to memory of 652	4048	cmd.exe	104
PID 4048 wrote to memory of 652	4048	cmd.exe	104
PID 540 wrote to memory of 5016	540	cmd.exe	102
PID 540 wrote to memory of 5016	540	cmd.exe	102
PID 540 wrote to memory of 5016	540	cmd.exe	102
PID 732 wrote to memory of 1584	732	cmd.exe	105
PID 732 wrote to memory of 1584	732	cmd.exe	105
PID 732 wrote to memory of 1584	732	cmd.exe	105
PID 3528 wrote to memory of 2824	3528	cmd.exe	106
PID 3528 wrote to memory of 2824	3528	cmd.exe	106
PID 3528 wrote to memory of 2824	3528	cmd.exe	106
PID 4104 wrote to memory of 936	4104	cmd.exe	108
PID 4104 wrote to memory of 936	4104	cmd.exe	108
PID 4104 wrote to memory of 936	4104	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ebdd7332c60eff30d5df25f1848fb9c_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwmain.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwmain.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwsrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwstub.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwstub.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwproxy.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwproxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0EBDD7~1.EXE > nul
  2⤵
  PID:324

C:\Windows\SysWOW64\wamn.exe
C:\Windows\SysWOW64\wamn.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwmain.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwmain.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwsrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwstub.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwstub.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im rfwproxy.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfwproxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wamn.exe

Filesize
21KB

MD5
0ebdd7332c60eff30d5df25f1848fb9c

SHA1
2e1eaf56fac198cf23daf6269673571fd5bde09a

SHA256
b66b4590045c5e834b0c7e303e60162a79d29995b6f51e6889b15b744c03e631

SHA512
55ace24000b6fcbee97600debebad2e67e21f351edb38422bf3bd3d61faca91e8655a51f6bc4b9e4a8d435965a6c1983dc0deba48e3bebe8bb9bb091eaec0cc1

Download Submit