ff4788fd4f280b18a700fd7e5ef35d6d0d93d0a93e43ac4ab8bb80f6e64dbb2c

Analysis

max time kernel
132s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21a23960aa11e3ea216cfc9b97512384_JaffaCakes118.exe
Size

1.8MB
MD5

21a23960aa11e3ea216cfc9b97512384
SHA1

f3481fecfe1a1d33a62d869251b5c04378343cbb
SHA256

ff4788fd4f280b18a700fd7e5ef35d6d0d93d0a93e43ac4ab8bb80f6e64dbb2c
SHA512

da087b5358c2c03340fb7dcdadc1bd3ddeddecc28623031411e605095cdeea47987075116f49f5acab1bb53fd14cdf0c4212bba81895808ff3ce06a450c9ea73
SSDEEP

49152:v2Od/jaVVjdoM4TqPpdeiBVPj1WnQ9xRaV:uOd/joVSFYd1b9xS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
232	21a23960aa11e3ea216cfc9b97512384_JaffaCakes118.tmp

Loads dropped DLL 1 IoCs

pid	Process
232	21a23960aa11e3ea216cfc9b97512384_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
5068	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	taskkill.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 232	1528	21a23960aa11e3ea216cfc9b97512384_JaffaCakes118.exe	90
PID 1528 wrote to memory of 232	1528	21a23960aa11e3ea216cfc9b97512384_JaffaCakes118.exe	90
PID 1528 wrote to memory of 232	1528	21a23960aa11e3ea216cfc9b97512384_JaffaCakes118.exe	90
PID 232 wrote to memory of 4956	232	21a23960aa11e3ea216cfc9b97512384_JaffaCakes118.tmp	109
PID 232 wrote to memory of 4956	232	21a23960aa11e3ea216cfc9b97512384_JaffaCakes118.tmp	109
PID 232 wrote to memory of 4956	232	21a23960aa11e3ea216cfc9b97512384_JaffaCakes118.tmp	109
PID 4956 wrote to memory of 5068	4956	cmd.exe	111
PID 4956 wrote to memory of 5068	4956	cmd.exe	111
PID 4956 wrote to memory of 5068	4956	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\21a23960aa11e3ea216cfc9b97512384_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21a23960aa11e3ea216cfc9b97512384_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\is-JT3Q3.tmp\21a23960aa11e3ea216cfc9b97512384_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JT3Q3.tmp\21a23960aa11e3ea216cfc9b97512384_JaffaCakes118.tmp" /SL5="$A016C,1556197,53248,C:\Users\Admin\AppData\Local\Temp\21a23960aa11e3ea216cfc9b97512384_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c taskkill /f /im rkverify.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rkverify.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:8
1⤵
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-JT3Q3.tmp\21a23960aa11e3ea216cfc9b97512384_JaffaCakes118.tmp

Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V0GCT.tmp\Games.inf

Filesize
240B

MD5
fc642069f917b44da5dfd940227fa79d

SHA1
bfa8aa40f516dc157c8a3d0b1b79bef7d3da79bf

SHA256
4e1a02d49c50af22855529a59909b33e4c0c63acd9df25ec16cb8452866f49c6

SHA512
65fba9d0b57a4529ac01e80b9c0177194c9e257a882b2b723f9ab231348a1545a673948a9fc5bfc6b70a866e74263236a524ac520de14669471212a91c9c4c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V0GCT.tmp\isxdl.dll

Filesize
49KB

MD5
02ecc74f7f91e9ffd84de708683236a6

SHA1
3532de0b77df8b0fc89e9c7eddec3fa71f98f5a2

SHA256
30ad8a0e1cee091ca48c771adb2e76baf1a7d54b9f60dc47f54dfdc2d6f6691e

SHA512
a3fdaa651f82428395bc412a2a04fce673768d3ef088b3748addf337d95464eb141ae7c286bff5c705eae05dd7b38207629588ae7e89ada15269463cd7acf541

Download Submit
memory/232-7-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/232-34-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/232-54-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/232-66-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1528-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1528-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1528-33-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1528-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download