Analysis
-
max time kernel
136s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2024, 06:59
Static task
static1
Behavioral task
behavioral1
Sample
217687daa0a13d4ad824b26225e66c79_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
217687daa0a13d4ad824b26225e66c79_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
217687daa0a13d4ad824b26225e66c79_JaffaCakes118.exe
-
Size
632KB
-
MD5
217687daa0a13d4ad824b26225e66c79
-
SHA1
b65611aa4e980bf387dc3a4624187930c4eceb57
-
SHA256
7f549769ae36cacca1f331dd0b6123dedf4ba10badfcb798c46d810b2ebd5471
-
SHA512
0d1b819fd61c35915fd9ebcce39433dc252075a5a4b0523c461a333b0e306ce9f8a992b5bb5a1d366baec0b8f08342aa2e29d9008e03b39047d240bab95774f0
-
SSDEEP
12288:2MnBsXy90UXYMGwxeZY9kv4iS28wxv1Om8YkxMQE8tl:jsXyHgJ4iS28wB1l8YkK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3724 FACEBO~1.EXE -
resource yara_rule behavioral2/files/0x000900000002366c-3.dat upx behavioral2/memory/3724-5-0x0000000000400000-0x00000000006F3000-memory.dmp upx behavioral2/memory/3724-17-0x0000000000400000-0x00000000006F3000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 217687daa0a13d4ad824b26225e66c79_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4412 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4412 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3724 FACEBO~1.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1164 wrote to memory of 3724 1164 217687daa0a13d4ad824b26225e66c79_JaffaCakes118.exe 90 PID 1164 wrote to memory of 3724 1164 217687daa0a13d4ad824b26225e66c79_JaffaCakes118.exe 90 PID 1164 wrote to memory of 3724 1164 217687daa0a13d4ad824b26225e66c79_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\217687daa0a13d4ad824b26225e66c79_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\217687daa0a13d4ad824b26225e66c79_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FACEBO~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FACEBO~1.EXE2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3724
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f8 0x40c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3908,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:81⤵PID:3564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
490KB
MD5f80f4913bdb389a1a39e22c75a2bfd76
SHA1ab96759085df7eefbb783f7468f81bac4684589b
SHA256d16e157f09e4708b16e0c59d8b80993edabad19f322ba777727261125d13905b
SHA512d0673eedf6869a923602169a17233d66bb230d540f108ed1128aaeb7620d5ea9c42991a0b715798b0c58bdc3acbd0ec530f84a3ec5a9603fb9523c029d0cbbde