Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 08:29
Behavioral task
behavioral1
Sample
115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe
-
Size
554KB
-
MD5
115bb996db9134faee5b6358e5ff50bb
-
SHA1
278cb404779917b736e814b95d8f121ce539b462
-
SHA256
26cf5dff70eed09bb07d746edce747902b01d4309c0e07ed5da7e6e9eb22d26c
-
SHA512
8710332bd128e5550f38a5ae359650013b6aa24944da160f9476c6b481404e71a069be4f7b6453879fd0a43c928497023a740742a4ccdb1bbc4844735afe120c
-
SSDEEP
12288:U8kivDNfzxH79ALFkdsw6zpFNFq4PFpixVnPXTMqqZt9SRpjqKAkl/5G:NvDbbc6kzho4LGnPXTMFZ/62KAkl/5G
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 2352 1VMP~1.EXE 636 1.exe 2084 NO.exe 1316 1.exe 3576 1VMP~1.EXE 2300 1.exe 3184 1.exe -
resource yara_rule behavioral2/memory/4584-0-0x0000000001000000-0x000000000110F000-memory.dmp vmprotect behavioral2/memory/4584-2-0x0000000001000000-0x000000000110F000-memory.dmp vmprotect behavioral2/files/0x000a00000002341c-6.dat vmprotect behavioral2/memory/2352-10-0x0000000001000000-0x00000000010E0000-memory.dmp vmprotect behavioral2/memory/2352-9-0x0000000001000000-0x00000000010E0000-memory.dmp vmprotect behavioral2/memory/2352-8-0x0000000001000000-0x00000000010E0000-memory.dmp vmprotect behavioral2/memory/4584-18-0x0000000001000000-0x000000000110F000-memory.dmp vmprotect behavioral2/memory/2352-24-0x0000000001000000-0x00000000010E0000-memory.dmp vmprotect behavioral2/memory/2352-30-0x0000000001000000-0x00000000010E0000-memory.dmp vmprotect behavioral2/memory/3576-32-0x0000000001000000-0x00000000010E0000-memory.dmp vmprotect behavioral2/memory/3576-44-0x0000000001000000-0x00000000010E0000-memory.dmp vmprotect behavioral2/memory/4584-45-0x0000000001000000-0x000000000110F000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" 1VMP~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" 1VMP~1.EXE -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\NO.exe 1.exe File opened for modification C:\Windows\NO.exe 1.exe File opened for modification C:\Windows\NO.exe 1.exe File opened for modification C:\Windows\NO.exe 1.exe File opened for modification C:\Windows\NO.exe 1.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 636 1.exe Token: SeDebugPrivilege 2084 NO.exe Token: SeDebugPrivilege 1316 1.exe Token: SeDebugPrivilege 2300 1.exe Token: SeDebugPrivilege 3184 1.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2084 NO.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4584 wrote to memory of 2352 4584 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 81 PID 4584 wrote to memory of 2352 4584 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 81 PID 4584 wrote to memory of 2352 4584 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 81 PID 2352 wrote to memory of 636 2352 1VMP~1.EXE 82 PID 2352 wrote to memory of 636 2352 1VMP~1.EXE 82 PID 2352 wrote to memory of 636 2352 1VMP~1.EXE 82 PID 2084 wrote to memory of 2492 2084 NO.exe 84 PID 2084 wrote to memory of 2492 2084 NO.exe 84 PID 2352 wrote to memory of 1316 2352 1VMP~1.EXE 89 PID 2352 wrote to memory of 1316 2352 1VMP~1.EXE 89 PID 2352 wrote to memory of 1316 2352 1VMP~1.EXE 89 PID 4584 wrote to memory of 3576 4584 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 91 PID 4584 wrote to memory of 3576 4584 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 91 PID 4584 wrote to memory of 3576 4584 115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe 91 PID 3576 wrote to memory of 2300 3576 1VMP~1.EXE 92 PID 3576 wrote to memory of 2300 3576 1VMP~1.EXE 92 PID 3576 wrote to memory of 2300 3576 1VMP~1.EXE 92 PID 3576 wrote to memory of 3184 3576 1VMP~1.EXE 95 PID 3576 wrote to memory of 3184 3576 1VMP~1.EXE 95 PID 3576 wrote to memory of 3184 3576 1VMP~1.EXE 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\115bb996db9134faee5b6358e5ff50bb_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VMP~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VMP~1.EXE2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:636
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VMP~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VMP~1.EXE2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
-
C:\Windows\NO.exeC:\Windows\NO.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2492
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD5ccdd3e65f37bf4b53e0996450f93dd5c
SHA1ae49d7887c0d9a4d134054f780ab4feeb82b40e8
SHA25607184969a3a4af8c5eae7c492bbbbec18275ae010a1e3a5ff3a476b17350cbf3
SHA512a5252ca09bcb5f3a971659bc8bce1d3d16183aae28fb32199e6e4b9d24de37f33475addfbfa3cfafb9e4af09502c903c459ccc72d85827ab23359ca7a7d9109b
-
Filesize
359KB
MD517c12a6b4048548ac2d8f9f05707f0cc
SHA11e6e58475be22208a391182201e0e18488cf65a6
SHA2564141f3e0d6fbaa369d77f79ed67f1e306b7f18633ef7908ccfc9ff32e788895e
SHA512e21310677eb451ddbcfb5e80be1fc9ec7e205b7a129c5a34739b7e0d1008a7c1a165f9f557a5d80644d438c6906b849b7d83e2a2bf0d6c5426ec3356c8b00148