Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 08:06
Behavioral task
behavioral1
Sample
114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe
-
Size
528KB
-
MD5
114b0b606e5cf7427184bc390c79ba9c
-
SHA1
206f74ec955d64dfc3dff8d8181e4f2137c4b909
-
SHA256
afb9216450c8dcb6b63ba81c8425d561568f7e20831e12227d6d1fa997e3fae1
-
SHA512
637ff291ec3bf8e12edbe51a6a207e5a280a2f77e2b64a748dd7e7019f2229fdd1e70d12d63a169fde58dbe7544c2296c9fee922f59ab65e5c3ce2dd2aafbb01
-
SSDEEP
12288:aX9mcUsSzxGztt/XLTIbhuqge68EEo+ulEl6HxTO4aO:we1xoLvQbhqe66o+2H84aO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2248 ChackPro.exe -
resource yara_rule behavioral2/memory/2760-0-0x0000000000400000-0x0000000000420000-memory.dmp vmprotect behavioral2/files/0x0008000000022f51-2.dat vmprotect behavioral2/memory/2248-4-0x0000000000400000-0x0000000000420000-memory.dmp vmprotect behavioral2/memory/2760-7-0x0000000000400000-0x0000000000420000-memory.dmp vmprotect behavioral2/memory/2248-9-0x0000000000400000-0x0000000000420000-memory.dmp vmprotect -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 ChackPro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE ChackPro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies ChackPro.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 ChackPro.exe File created C:\Windows\SysWOW64\ChackPro.exe 114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ChackPro.exe 114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ChackPro.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ChackPro.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ChackPro.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ChackPro.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ChackPro.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ChackPro.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ChackPro.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ChackPro.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2760 114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe Token: SeDebugPrivilege 2248 ChackPro.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2760 wrote to memory of 1856 2760 114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe 82 PID 2760 wrote to memory of 1856 2760 114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe 82 PID 2760 wrote to memory of 1856 2760 114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_uninsep.bat2⤵PID:1856
-
-
C:\Windows\SysWOW64\ChackPro.exeC:\Windows\SysWOW64\ChackPro.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2248
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228B
MD541b09be07764ced7d6de33de45b5bcae
SHA11c7458d40156b10929a7e2edb2fa6fa25c71365d
SHA256f7072adedb23f30437e77d19b4ea5eb2c4e4f24c7601c4b2366424b9e30479bb
SHA5125e1e594e09bd2c551fb3d00d5464619107a002228a19535bbfbf73bb713d774f6198ec0521dd5fcc50a33901611e77f0e21f70bb676e986b8606fcf617050fe6
-
Filesize
528KB
MD5114b0b606e5cf7427184bc390c79ba9c
SHA1206f74ec955d64dfc3dff8d8181e4f2137c4b909
SHA256afb9216450c8dcb6b63ba81c8425d561568f7e20831e12227d6d1fa997e3fae1
SHA512637ff291ec3bf8e12edbe51a6a207e5a280a2f77e2b64a748dd7e7019f2229fdd1e70d12d63a169fde58dbe7544c2296c9fee922f59ab65e5c3ce2dd2aafbb01