Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 08:46
Behavioral task
behavioral1
Sample
11685dce1e91f778788830d7eece48de_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
11685dce1e91f778788830d7eece48de_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
11685dce1e91f778788830d7eece48de_JaffaCakes118.exe
-
Size
77KB
-
MD5
11685dce1e91f778788830d7eece48de
-
SHA1
9843a1f12e6b9026b1da5a0f31198c081ec7c45e
-
SHA256
399d231b8d6155b7eb56289b57e5065b7439da31f265ef423b7bcf61d45019e2
-
SHA512
68393b06b933c4af2b22789820c4416ec62b22ee21f61b12487af9bae03f86757dc2d07200e530c03c5e8a487a10405b41443d5a42f2113527da25c5a2755ffc
-
SSDEEP
1536:+5PM78Yn+qGOPRjtPGBWH5dRm1gwxCN7/GNQPifOorO4m4jcNhtRmXxiRFg5s2xH:MM78E/GiUWnRm+5rPifOorBm4wNhtRmJ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2000 Aqnticivei.exe 540 Aqnticivei.exe -
resource yara_rule behavioral2/memory/2796-0-0x0000000000400000-0x0000000000424000-memory.dmp vmprotect behavioral2/memory/2796-1-0x0000000000400000-0x0000000000424000-memory.dmp vmprotect behavioral2/files/0x0008000000022f51-5.dat vmprotect behavioral2/memory/2000-7-0x0000000000400000-0x0000000000424000-memory.dmp vmprotect behavioral2/memory/2796-6-0x0000000000400000-0x0000000000424000-memory.dmp vmprotect behavioral2/memory/2000-9-0x0000000000400000-0x0000000000424000-memory.dmp vmprotect behavioral2/memory/540-11-0x0000000000400000-0x0000000000424000-memory.dmp vmprotect behavioral2/memory/2000-12-0x0000000000400000-0x0000000000424000-memory.dmp vmprotect behavioral2/memory/540-14-0x0000000000400000-0x0000000000424000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2796 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 2000 Aqnticivei.exe 540 Aqnticivei.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 540 set thread context of 1816 540 Aqnticivei.exe 85 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\Aqnticivei.exe 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\Aqnticivei.exe 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2832 1816 WerFault.exe 85 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2796 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2796 wrote to memory of 2000 2796 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 82 PID 2796 wrote to memory of 2000 2796 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 82 PID 2796 wrote to memory of 2000 2796 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 82 PID 2796 wrote to memory of 1244 2796 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 83 PID 2796 wrote to memory of 1244 2796 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 83 PID 2796 wrote to memory of 1244 2796 11685dce1e91f778788830d7eece48de_JaffaCakes118.exe 83 PID 540 wrote to memory of 1816 540 Aqnticivei.exe 85 PID 540 wrote to memory of 1816 540 Aqnticivei.exe 85 PID 540 wrote to memory of 1816 540 Aqnticivei.exe 85 PID 540 wrote to memory of 1816 540 Aqnticivei.exe 85 PID 540 wrote to memory of 1816 540 Aqnticivei.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\11685dce1e91f778788830d7eece48de_JaffaCakes118.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Program Files\Internet Explorer\Aqnticivei.exe"C:\Program Files\Internet Explorer\Aqnticivei.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\11685D~1.EXE > nul2⤵PID:1244
-
-
C:\Program Files\Internet Explorer\Aqnticivei.exe"C:\Program Files\Internet Explorer\Aqnticivei.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe2⤵PID:1816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 123⤵
- Program crash
PID:2832
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1816 -ip 18161⤵PID:752
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD511685dce1e91f778788830d7eece48de
SHA19843a1f12e6b9026b1da5a0f31198c081ec7c45e
SHA256399d231b8d6155b7eb56289b57e5065b7439da31f265ef423b7bcf61d45019e2
SHA51268393b06b933c4af2b22789820c4416ec62b22ee21f61b12487af9bae03f86757dc2d07200e530c03c5e8a487a10405b41443d5a42f2113527da25c5a2755ffc