28854f11be752dcc0747681d6bc453b60bcb9cd9ce81c61280c434ea468cc1f9

Analysis

max time kernel
133s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
Size

2.0MB
MD5

90566a56f87cbb3de3ee406a8031a089
SHA1

5f37a415bc489f03e734b1447ee844e5b2df0822
SHA256

28854f11be752dcc0747681d6bc453b60bcb9cd9ce81c61280c434ea468cc1f9
SHA512

94794faab87f8e1ddf6b3867330d79010e2e06c61b3816e1984c8c047144f4d7ee4ed02d1c5f6f466a10f26498cd508f8413a1570058e47d94b326e15978ff79
SSDEEP

49152:4U/NHzhgPTQk56pfcwedikpmjLFPCgCniBYAsEZXbYdUV7sK5Fq:RH9gPTQk5dOZavFdOXbHi

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioControlsControlPanel.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioControlsControlPanel.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe

pid	process
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2444 90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Users\Admin\AppData\Local\Temp\90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe"
2⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe"
2⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe"
2⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe"
2⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe"
2⤵
PID:2500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2444-0-0x000000007519E000-0x000000007519F000-memory.dmp

Filesize
4KB

Download
memory/2444-1-0x0000000000130000-0x0000000000338000-memory.dmp

Filesize
2.0MB

Download
memory/2444-2-0x0000000005360000-0x0000000005904000-memory.dmp

Filesize
5.6MB

Download
memory/2444-3-0x0000000004CD0000-0x0000000004D62000-memory.dmp

Filesize
584KB

Download
memory/2444-4-0x0000000004D90000-0x0000000004D9A000-memory.dmp

Filesize
40KB

Download
memory/2444-5-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/2444-6-0x00000000050C0000-0x00000000052AE000-memory.dmp

Filesize
1.9MB

Download
memory/2444-7-0x0000000005910000-0x00000000059AC000-memory.dmp

Filesize
624KB

Download
memory/2444-8-0x000000007519E000-0x000000007519F000-memory.dmp

Filesize
4KB

Download
memory/2444-9-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/2444-11-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/2444-13-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download

description	pid	process	target process
PID 2444 wrote to memory of 3472	2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
PID 2444 wrote to memory of 3472	2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
PID 2444 wrote to memory of 3472	2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
PID 2444 wrote to memory of 1472	2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
PID 2444 wrote to memory of 1472	2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
PID 2444 wrote to memory of 1472	2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
PID 2444 wrote to memory of 1396	2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
PID 2444 wrote to memory of 1396	2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
PID 2444 wrote to memory of 1396	2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
PID 2444 wrote to memory of 3404	2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
PID 2444 wrote to memory of 3404	2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
PID 2444 wrote to memory of 3404	2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
PID 2444 wrote to memory of 2500	2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
PID 2444 wrote to memory of 2500	2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe
PID 2444 wrote to memory of 2500	2444	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe	90566a56f87cbb3de3ee406a8031a089_JaffaCakes118.exe