Analysis
-
max time kernel
37s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 16:11
Behavioral task
behavioral1
Sample
JaffaCakes118_c4a29e5c9f75e8f9c2c69239fb49cf63ee58e85364e9b8191ff61f996d8b1be1
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c4a29e5c9f75e8f9c2c69239fb49cf63ee58e85364e9b8191ff61f996d8b1be1
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c4a29e5c9f75e8f9c2c69239fb49cf63ee58e85364e9b8191ff61f996d8b1be1
-
Size
35.2MB
-
MD5
52548d01a3077aa0828017660fab2b9a
-
SHA1
ae276b665ead85cb2b9d564c8a2f2c0fd9a560bf
-
SHA256
c4a29e5c9f75e8f9c2c69239fb49cf63ee58e85364e9b8191ff61f996d8b1be1
-
SHA512
76191ca1b66646f1ff985c8463c36bfd15b58783c9deac7145038170c8778cfa69b403809225fd093d81415d6c187f12426f4c67a1958f175edfdb69aacc5096
-
SSDEEP
786432:LHnQwMPHgP0ueFIRp0bsFG3AeemBOjTjoJkqNtSsz:LHtczFIXqs7mMjg5z
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2940 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2940 taskmgr.exe Token: SeSystemProfilePrivilege 2940 taskmgr.exe Token: SeCreateGlobalPrivilege 2940 taskmgr.exe Token: 33 2940 taskmgr.exe Token: SeIncBasePriorityPrivilege 2940 taskmgr.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
pid Process 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe -
Suspicious use of SendNotifyMessage 50 IoCs
pid Process 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe 2940 taskmgr.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4a29e5c9f75e8f9c2c69239fb49cf63ee58e85364e9b8191ff61f996d8b1be11⤵PID:3252
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2940