Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2024, 18:15
Static task
static1
Behavioral task
behavioral1
Sample
2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe
-
Size
5.5MB
-
MD5
2923741317a4e7ae4285060d6f0297f2
-
SHA1
26870024a6780ea6b2433f36ddcbe302072f5b15
-
SHA256
322e7d7d4245bbc92bf6ba22ed754ef2a7c7f5f9ffd206d874b186c5ef83482f
-
SHA512
4a6cbff480babc2af58cdbd3e3d184a75d60501c4318906204dbdfb67c48f1ba14c1d9d7c33063945d6a3a13a87896a6f25be5b461c1a4e24d8dda27e56af337
-
SSDEEP
98304:tzzsbbcV2VQ52AlFj6DN1ZwFvpQx/2gld9CX4qcezkw+B9dzOZh2TdgWPeQtc8QP:tzz+wt27DNniFglTC3ceAw+B9MZh2TKb
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0007000000023256-4.dat acprotect -
Loads dropped DLL 39 IoCs
pid Process 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 6 IoCs
pid Process 3136 taskkill.exe 184 taskkill.exe 4884 taskkill.exe 1508 taskkill.exe 4172 taskkill.exe 4436 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 184 taskkill.exe Token: SeDebugPrivilege 4884 taskkill.exe Token: SeDebugPrivilege 1508 taskkill.exe Token: SeDebugPrivilege 4172 taskkill.exe Token: SeDebugPrivilege 4436 taskkill.exe Token: SeDebugPrivilege 3136 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4808 wrote to memory of 5060 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 85 PID 4808 wrote to memory of 5060 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 85 PID 4808 wrote to memory of 5060 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 85 PID 5060 wrote to memory of 184 5060 cmd.exe 87 PID 5060 wrote to memory of 184 5060 cmd.exe 87 PID 5060 wrote to memory of 184 5060 cmd.exe 87 PID 4808 wrote to memory of 4684 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 89 PID 4808 wrote to memory of 4684 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 89 PID 4808 wrote to memory of 4684 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 89 PID 4684 wrote to memory of 4884 4684 cmd.exe 91 PID 4684 wrote to memory of 4884 4684 cmd.exe 91 PID 4684 wrote to memory of 4884 4684 cmd.exe 91 PID 4808 wrote to memory of 3460 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 92 PID 4808 wrote to memory of 3460 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 92 PID 4808 wrote to memory of 3460 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 92 PID 3460 wrote to memory of 1508 3460 cmd.exe 94 PID 3460 wrote to memory of 1508 3460 cmd.exe 94 PID 3460 wrote to memory of 1508 3460 cmd.exe 94 PID 4808 wrote to memory of 3948 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 95 PID 4808 wrote to memory of 3948 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 95 PID 4808 wrote to memory of 3948 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 95 PID 3948 wrote to memory of 4172 3948 cmd.exe 97 PID 3948 wrote to memory of 4172 3948 cmd.exe 97 PID 3948 wrote to memory of 4172 3948 cmd.exe 97 PID 4808 wrote to memory of 4960 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 98 PID 4808 wrote to memory of 4960 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 98 PID 4808 wrote to memory of 4960 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 98 PID 4960 wrote to memory of 4436 4960 cmd.exe 100 PID 4960 wrote to memory of 4436 4960 cmd.exe 100 PID 4960 wrote to memory of 4436 4960 cmd.exe 100 PID 4808 wrote to memory of 4044 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 101 PID 4808 wrote to memory of 4044 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 101 PID 4808 wrote to memory of 4044 4808 2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe 101 PID 4044 wrote to memory of 3136 4044 cmd.exe 103 PID 4044 wrote to memory of 3136 4044 cmd.exe 103 PID 4044 wrote to memory of 3136 4044 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2923741317a4e7ae4285060d6f0297f2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C taskkill /f /im "Funshion.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "Funshion.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C taskkill /f /im "FSPServer.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "FSPServer.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionService.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "FunshionService.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C taskkill /f /im "Updater.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "Updater.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpdate.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "FunshionUpdate.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C taskkill /f /im "FunshionUpgrade.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "FunshionUpgrade.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3136
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD50fc4d42653fc43553b7dcb6ffe55d189
SHA149f4aac3f3fb089f310b7a526a5ab45d16d0dc0b
SHA256e648ca2482f9e4bd7fffec2b80ab30adda424c26dae781bcb1760e384430cfc9
SHA512603c759ee4b16c1d862a2a82814df939207c61120543b807821aba394ddc7ec9db228e19dbf09e8a26c439d9e1548154eadb7ec6d8757b4492e132fc47059546
-
Filesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
Filesize
4KB
MD5b9380b0bea8854fd9f93cc1fda0dfeac
SHA1edb8d58074e098f7b5f0d158abedc7fc53638618
SHA2561f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
SHA51245c3ab0f2bce53b75e72e43bac747dc0618342a3f498be8e2eb62a6db0b137fcdb1735da83051b14824996b5287109aa831e5859d6f21f0ed21b76b3d335418c
-
Filesize
31KB
MD583cd62eab980e3d64c131799608c8371
SHA15b57a6842a154997e31fab573c5754b358f5dd1c
SHA256a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294
SHA51291cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9
-
Filesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
Filesize
32KB
MD583142eac84475f4ca889c73f10d9c179
SHA1dbe43c0de8ef881466bd74861b2e5b17598b5ce8
SHA256ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729
SHA5121c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1
-
Filesize
14KB
MD5a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
126B
MD535e4b01a17602245e12abbc306e3613a
SHA14624562000e4fc68b436adcddf6cae7db8d5cb8c
SHA256b886699e29278b684f76da55532f1e31640bca631165eb664ded5e43cc79f7db
SHA5121d846ba4cd93262e217dd937f18042c27875a31fed0751055c94111d16e475e795e77aa0023d2d29f5f476347ba97344d73ff7af17e42aabfc37246218ddc09e
-
Filesize
8KB
MD5a7d710e78711d5ab90e4792763241754
SHA1f31cecd926c5d497aba163a17b75975ec34beb13
SHA2569b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2
SHA512f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0