Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-06-2024 10:13

General

  • Target

    11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe

  • Size

    73KB

  • MD5

    11a39d68a3c64cba4024cd8c3edb9b7b

  • SHA1

    b4ca642bc6280bc156032d3a1643949e5570e742

  • SHA256

    ccbc9ffe9d43dbc2ab7ce253fd6a7f72446d587b624d4813814f99d032ce2c21

  • SHA512

    b2a1f0cfed02fd05b0397550b194a6573614b91b62907715da298dc5a03f0a0cea92c1346f857cdfb47b5a1e642512a2f599b3515dc47f107d6ba1dbc7d1b3e5

  • SSDEEP

    1536:Zm5qDr/yTi5vjtjMSRJCkLoQ/TdyHpDgUQooXGyRcn5kC/BXUfp4Pw96:Zm5qn/U2vN7JL8JTQo1XkG5U6YM

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Loads dropped DLL 2 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Server Software Component: Terminal Services DLL
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 460
      2⤵
      • Program crash
      PID:1376
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\11A39D~1.EXE > nul
      2⤵
        PID:4728
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k krnlsvc
      1⤵
      • Loads dropped DLL
      PID:1108
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3636 -ip 3636
      1⤵
        PID:3392

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\KcupsxD.dll

        Filesize

        118KB

        MD5

        527849b3765d26c0b89191ab893ee813

        SHA1

        f032ce42cef07e1b5507fce3b296091dca277938

        SHA256

        0b268a02cb533fc1538dd34ea00c7cbf94d9cf4e31c46bde7cf8b8397b4fda42

        SHA512

        b16765cf83c020a66904b039f3401af5fc6e64476c9184fe4799ade17f4d4e32a21c51b667d21db6709ab60718a59fbdb2352903fb8be64e776da5d645fba687

      • memory/3636-0-0x0000000000400000-0x000000000043C7EA-memory.dmp

        Filesize

        241KB

      • memory/3636-1-0x0000000000401000-0x0000000000426000-memory.dmp

        Filesize

        148KB

      • memory/3636-2-0x0000000000400000-0x000000000043C7EA-memory.dmp

        Filesize

        241KB

      • memory/3636-4-0x0000000000400000-0x000000000043C7EA-memory.dmp

        Filesize

        241KB

      • memory/3636-13-0x0000000000401000-0x0000000000426000-memory.dmp

        Filesize

        148KB