Analysis

  • max time kernel
    136s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2024, 06:59

General

  • Target

    217687daa0a13d4ad824b26225e66c79_JaffaCakes118.exe

  • Size

    632KB

  • MD5

    217687daa0a13d4ad824b26225e66c79

  • SHA1

    b65611aa4e980bf387dc3a4624187930c4eceb57

  • SHA256

    7f549769ae36cacca1f331dd0b6123dedf4ba10badfcb798c46d810b2ebd5471

  • SHA512

    0d1b819fd61c35915fd9ebcce39433dc252075a5a4b0523c461a333b0e306ce9f8a992b5bb5a1d366baec0b8f08342aa2e29d9008e03b39047d240bab95774f0

  • SSDEEP

    12288:2MnBsXy90UXYMGwxeZY9kv4iS28wxv1Om8YkxMQE8tl:jsXyHgJ4iS28wB1l8YkK

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\217687daa0a13d4ad824b26225e66c79_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\217687daa0a13d4ad824b26225e66c79_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FACEBO~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FACEBO~1.EXE
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      PID:3724
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x2f8 0x40c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4412
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3908,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
    1⤵
      PID:3564

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FACEBO~1.EXE

            Filesize

            490KB

            MD5

            f80f4913bdb389a1a39e22c75a2bfd76

            SHA1

            ab96759085df7eefbb783f7468f81bac4684589b

            SHA256

            d16e157f09e4708b16e0c59d8b80993edabad19f322ba777727261125d13905b

            SHA512

            d0673eedf6869a923602169a17233d66bb230d540f108ed1128aaeb7620d5ea9c42991a0b715798b0c58bdc3acbd0ec530f84a3ec5a9603fb9523c029d0cbbde

          • memory/3724-5-0x0000000000400000-0x00000000006F3000-memory.dmp

            Filesize

            2.9MB

          • memory/3724-6-0x0000000000D40000-0x0000000000D41000-memory.dmp

            Filesize

            4KB

          • memory/3724-7-0x0000000000D70000-0x0000000000D71000-memory.dmp

            Filesize

            4KB

          • memory/3724-17-0x0000000000400000-0x00000000006F3000-memory.dmp

            Filesize

            2.9MB