Analysis
-
max time kernel
147s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 04:54
Static task
static1
Behavioral task
behavioral1
Sample
14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
14bfa0b873aea34715102981301c22b6
-
SHA1
a780f19be3961fc97c936591ff4598ee217766f0
-
SHA256
45039f4abca7cf477627a7e3fb512d3a8f6e898141aa0c59448049f35aa327fc
-
SHA512
8141c852e17453d9d14dd5a0dfadb6e55924aeb0d2324b0688323f0e6d4ee54694ecf93519d68d7219c44e1f7afaf4f0f4c50219ef1d80c21158ecc6391700d4
-
SSDEEP
12288:CrLVZU+/jedzCEabvIYj5kyESeQIGXCQcAatjuWNftoI96j83FqAmvwnFf/V3rbY:uLVKsREjQgXrv4AmYjPZinn9
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
vbc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
14bfa0b873aea34715102981301c22b6_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\"" 14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
14bfa0b873aea34715102981301c22b6_JaffaCakes118.exedescription pid process target process PID 2272 set thread context of 1168 2272 14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe vbc.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier vbc.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1168 vbc.exe Token: SeSecurityPrivilege 1168 vbc.exe Token: SeTakeOwnershipPrivilege 1168 vbc.exe Token: SeLoadDriverPrivilege 1168 vbc.exe Token: SeSystemProfilePrivilege 1168 vbc.exe Token: SeSystemtimePrivilege 1168 vbc.exe Token: SeProfSingleProcessPrivilege 1168 vbc.exe Token: SeIncBasePriorityPrivilege 1168 vbc.exe Token: SeCreatePagefilePrivilege 1168 vbc.exe Token: SeBackupPrivilege 1168 vbc.exe Token: SeRestorePrivilege 1168 vbc.exe Token: SeShutdownPrivilege 1168 vbc.exe Token: SeDebugPrivilege 1168 vbc.exe Token: SeSystemEnvironmentPrivilege 1168 vbc.exe Token: SeChangeNotifyPrivilege 1168 vbc.exe Token: SeRemoteShutdownPrivilege 1168 vbc.exe Token: SeUndockPrivilege 1168 vbc.exe Token: SeManageVolumePrivilege 1168 vbc.exe Token: SeImpersonatePrivilege 1168 vbc.exe Token: SeCreateGlobalPrivilege 1168 vbc.exe Token: 33 1168 vbc.exe Token: 34 1168 vbc.exe Token: 35 1168 vbc.exe Token: 36 1168 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 1168 vbc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
14bfa0b873aea34715102981301c22b6_JaffaCakes118.exedescription pid process target process PID 2272 wrote to memory of 1168 2272 14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe vbc.exe PID 2272 wrote to memory of 1168 2272 14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe vbc.exe PID 2272 wrote to memory of 1168 2272 14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe vbc.exe PID 2272 wrote to memory of 1168 2272 14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe vbc.exe PID 2272 wrote to memory of 1168 2272 14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe vbc.exe PID 2272 wrote to memory of 1168 2272 14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe vbc.exe PID 2272 wrote to memory of 1168 2272 14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe vbc.exe PID 2272 wrote to memory of 1168 2272 14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe vbc.exe PID 2272 wrote to memory of 1168 2272 14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe vbc.exe PID 2272 wrote to memory of 1168 2272 14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe vbc.exe PID 2272 wrote to memory of 1168 2272 14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe vbc.exe PID 2272 wrote to memory of 1168 2272 14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe vbc.exe PID 2272 wrote to memory of 1168 2272 14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe vbc.exe PID 2272 wrote to memory of 1168 2272 14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\14bfa0b873aea34715102981301c22b6_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1168
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3748 /prefetch:81⤵PID:1252