Analysis
-
max time kernel
140s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 06:41
Static task
static1
Behavioral task
behavioral1
Sample
51de2b9486f0b8fc4406ac8956a4da2b_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
51de2b9486f0b8fc4406ac8956a4da2b_JaffaCakes118.exe
-
Size
608KB
-
MD5
51de2b9486f0b8fc4406ac8956a4da2b
-
SHA1
f78be95c8e26a707b927823a0ef6c006e680a22d
-
SHA256
481e617bf801b26b6fb8edc67ea637b1e9db954c0ee673e9a2bce0071768b929
-
SHA512
990a9b4ae0dabccb5d94a917da6034a7b23f22173b2fe2c651227f58a31ed3141f112b8b5c3dc30e1ee341c3db3736b947e84d884e95e3dd1953a9d3f9fd1078
-
SSDEEP
12288:F3Mhue1faMKxXFuK1dCZZ8/Ob6M4gcGrcFyYgWR5:F3RIaxXFuK18Jb6ZSrcs
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
51de2b9486f0b8fc4406ac8956a4da2b_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" 51de2b9486f0b8fc4406ac8956a4da2b_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dw20.exedescription pid process Token: SeBackupPrivilege 968 dw20.exe Token: SeBackupPrivilege 968 dw20.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
51de2b9486f0b8fc4406ac8956a4da2b_JaffaCakes118.exedescription pid process target process PID 2440 wrote to memory of 968 2440 51de2b9486f0b8fc4406ac8956a4da2b_JaffaCakes118.exe dw20.exe PID 2440 wrote to memory of 968 2440 51de2b9486f0b8fc4406ac8956a4da2b_JaffaCakes118.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\51de2b9486f0b8fc4406ac8956a4da2b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\51de2b9486f0b8fc4406ac8956a4da2b_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 15002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2440-0-0x00007FFE29255000-0x00007FFE29256000-memory.dmpFilesize
4KB
-
memory/2440-1-0x00007FFE28FA0000-0x00007FFE29941000-memory.dmpFilesize
9.6MB
-
memory/2440-2-0x000000001C130000-0x000000001C5FE000-memory.dmpFilesize
4.8MB
-
memory/2440-3-0x000000001C6B0000-0x000000001C756000-memory.dmpFilesize
664KB
-
memory/2440-4-0x000000001C760000-0x000000001C7E0000-memory.dmpFilesize
512KB
-
memory/2440-5-0x000000001CBD0000-0x000000001CC6C000-memory.dmpFilesize
624KB
-
memory/2440-7-0x00007FFE28FA0000-0x00007FFE29941000-memory.dmpFilesize
9.6MB
-
memory/2440-6-0x000000001C7F0000-0x000000001C7F8000-memory.dmpFilesize
32KB
-
memory/2440-16-0x00007FFE28FA0000-0x00007FFE29941000-memory.dmpFilesize
9.6MB