Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 10:13
Static task
static1
Behavioral task
behavioral1
Sample
11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe
-
Size
73KB
-
MD5
11a39d68a3c64cba4024cd8c3edb9b7b
-
SHA1
b4ca642bc6280bc156032d3a1643949e5570e742
-
SHA256
ccbc9ffe9d43dbc2ab7ce253fd6a7f72446d587b624d4813814f99d032ce2c21
-
SHA512
b2a1f0cfed02fd05b0397550b194a6573614b91b62907715da298dc5a03f0a0cea92c1346f857cdfb47b5a1e642512a2f599b3515dc47f107d6ba1dbc7d1b3e5
-
SSDEEP
1536:Zm5qDr/yTi5vjtjMSRJCkLoQ/TdyHpDgUQooXGyRcn5kC/BXUfp4Pw96:Zm5qn/U2vN7JL8JTQo1XkG5U6YM
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\beep.sys 11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MediaCenter\Parameters\ServiceDll = "C:\\Windows\\system32\\KcupsxD.dll" 11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe -
Loads dropped DLL 2 IoCs
pid Process 3636 11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe 1108 svchost.exe -
resource yara_rule behavioral2/files/0x0009000000023418-8.dat vmprotect -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\KcupsxD.dll 11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1376 3636 WerFault.exe 81 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3636 11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe 3636 11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe 3636 11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe 3636 11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3636 11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3636 11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3636 wrote to memory of 4728 3636 11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe 86 PID 3636 wrote to memory of 4728 3636 11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe 86 PID 3636 wrote to memory of 4728 3636 11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\11a39d68a3c64cba4024cd8c3edb9b7b_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 4602⤵
- Program crash
PID:1376
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\11A39D~1.EXE > nul2⤵PID:4728
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k krnlsvc1⤵
- Loads dropped DLL
PID:1108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3636 -ip 36361⤵PID:3392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
118KB
MD5527849b3765d26c0b89191ab893ee813
SHA1f032ce42cef07e1b5507fce3b296091dca277938
SHA2560b268a02cb533fc1538dd34ea00c7cbf94d9cf4e31c46bde7cf8b8397b4fda42
SHA512b16765cf83c020a66904b039f3401af5fc6e64476c9184fe4799ade17f4d4e32a21c51b667d21db6709ab60718a59fbdb2352903fb8be64e776da5d645fba687