Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-06-2024 08:06

General

  • Target

    114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe

  • Size

    528KB

  • MD5

    114b0b606e5cf7427184bc390c79ba9c

  • SHA1

    206f74ec955d64dfc3dff8d8181e4f2137c4b909

  • SHA256

    afb9216450c8dcb6b63ba81c8425d561568f7e20831e12227d6d1fa997e3fae1

  • SHA512

    637ff291ec3bf8e12edbe51a6a207e5a280a2f77e2b64a748dd7e7019f2229fdd1e70d12d63a169fde58dbe7544c2296c9fee922f59ab65e5c3ce2dd2aafbb01

  • SSDEEP

    12288:aX9mcUsSzxGztt/XLTIbhuqge68EEo+ulEl6HxTO4aO:we1xoLvQbhqe66o+2H84aO

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 5 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in System32 directory 6 IoCs
  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
      2⤵
        PID:1856
    • C:\Windows\SysWOW64\ChackPro.exe
      C:\Windows\SysWOW64\ChackPro.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2248

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

      Filesize

      228B

      MD5

      41b09be07764ced7d6de33de45b5bcae

      SHA1

      1c7458d40156b10929a7e2edb2fa6fa25c71365d

      SHA256

      f7072adedb23f30437e77d19b4ea5eb2c4e4f24c7601c4b2366424b9e30479bb

      SHA512

      5e1e594e09bd2c551fb3d00d5464619107a002228a19535bbfbf73bb713d774f6198ec0521dd5fcc50a33901611e77f0e21f70bb676e986b8606fcf617050fe6

    • C:\Windows\SysWOW64\ChackPro.exe

      Filesize

      528KB

      MD5

      114b0b606e5cf7427184bc390c79ba9c

      SHA1

      206f74ec955d64dfc3dff8d8181e4f2137c4b909

      SHA256

      afb9216450c8dcb6b63ba81c8425d561568f7e20831e12227d6d1fa997e3fae1

      SHA512

      637ff291ec3bf8e12edbe51a6a207e5a280a2f77e2b64a748dd7e7019f2229fdd1e70d12d63a169fde58dbe7544c2296c9fee922f59ab65e5c3ce2dd2aafbb01

    • memory/2248-4-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/2248-9-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/2760-0-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/2760-7-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB