Analysis
-
max time kernel
142s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 21:07
Static task
static1
Behavioral task
behavioral1
Sample
36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe
-
Size
633KB
-
MD5
36626fc09c3aa85b20e32b87003bf010
-
SHA1
7fb76c8dfdcd827691b8a18ddaa0de2029a58f1e
-
SHA256
293fab758a415b9974ab37d05c46840453d3b19bc8b17ccd5ca87a89d75a1684
-
SHA512
0703e1e40f2a97c057f18f03cf4e0c3640955ef3dc0d1ba59f216087a6ea38f71edf4ac262e06068d34a96d1a29b19939e715551cbdce24dee037eae437dd919
-
SSDEEP
12288:7lMg+l9YDAkGW0+WSyOFa4NMSnfy0cF0f6/FcF3Z4mxxjDqVTVOCdXY:7lMXlkb0+zqCMSnfyBKf6aQmXKVTzJY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchos.exepid process 2548 svchos.exe -
Drops file in Windows directory 3 IoCs
Processes:
36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exedescription ioc process File created C:\Windows\svchos.exe 36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe File opened for modification C:\Windows\svchos.exe 36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe File created C:\Windows\uninstal.bat 36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exesvchos.exedescription pid process Token: SeDebugPrivilege 540 36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe Token: SeDebugPrivilege 2548 svchos.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
svchos.exepid process 2548 svchos.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
svchos.exe36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exedescription pid process target process PID 2548 wrote to memory of 1804 2548 svchos.exe ieXplorE.ExE PID 2548 wrote to memory of 1804 2548 svchos.exe ieXplorE.ExE PID 540 wrote to memory of 3360 540 36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe cmd.exe PID 540 wrote to memory of 3360 540 36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe cmd.exe PID 540 wrote to memory of 3360 540 36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\36626fc09c3aa85b20e32b87003bf010_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat2⤵PID:3360
-
C:\Windows\svchos.exeC:\Windows\svchos.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Program Files\Internet Explorer\ieXplorE.ExE"C:\Program Files\Internet Explorer\ieXplorE.ExE"2⤵PID:1804
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
633KB
MD536626fc09c3aa85b20e32b87003bf010
SHA17fb76c8dfdcd827691b8a18ddaa0de2029a58f1e
SHA256293fab758a415b9974ab37d05c46840453d3b19bc8b17ccd5ca87a89d75a1684
SHA5120703e1e40f2a97c057f18f03cf4e0c3640955ef3dc0d1ba59f216087a6ea38f71edf4ac262e06068d34a96d1a29b19939e715551cbdce24dee037eae437dd919
-
Filesize
218B
MD59e5fc10534790d51300445bff90f17c4
SHA13b09427d324a88c89bb320422abeb40cb0ef75f7
SHA256b870eacdb4f3e018331e0f03b690f0ec90f3b3f8c55f97bce6e2795036f0c1ac
SHA512e221580bd83ccf94f7259d73b2b4b638aa184ceaf08356cf33c08eaac1791829896a8da9c460d743bf92dbeac48016ce14a24ae821822e6b8f2d6cd8cb5350e6