Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 06:30
Static task
static1
Behavioral task
behavioral1
Sample
191efde5fff866d11803668bece19481_JaffaCakes118.exe
Resource
win7-20240508-en
8 signatures
150 seconds
General
-
Target
191efde5fff866d11803668bece19481_JaffaCakes118.exe
-
Size
136KB
-
MD5
191efde5fff866d11803668bece19481
-
SHA1
39550c87cfb8a6ebda74bf1af1e7aba1171e1e03
-
SHA256
8b8416fae1cc885453fca2fc5c75576c1a847f0e777845f531ef9e5a7c990e2f
-
SHA512
a88aa1137d2be585e05274a9162c5ba0ffb4b8e88f95bbeb2393a6c5abdc350283270562954a5757b145641e6398bbf6150ec78422504ed99bd0bbb7799bbb54
-
SSDEEP
3072:csTW661letEoocz4plCCCfqBz+Co5wJSg:csTa6EooXCCCfqBz+Cu
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
commentsource.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies commentsource.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 commentsource.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 commentsource.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE commentsource.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
commentsource.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix commentsource.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" commentsource.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" commentsource.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
commentsource.exepid process 2324 commentsource.exe 2324 commentsource.exe 2324 commentsource.exe 2324 commentsource.exe 2324 commentsource.exe 2324 commentsource.exe 2324 commentsource.exe 2324 commentsource.exe 2324 commentsource.exe 2324 commentsource.exe 2324 commentsource.exe 2324 commentsource.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
191efde5fff866d11803668bece19481_JaffaCakes118.exepid process 1508 191efde5fff866d11803668bece19481_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
191efde5fff866d11803668bece19481_JaffaCakes118.execommentsource.exedescription pid process target process PID 3500 wrote to memory of 1508 3500 191efde5fff866d11803668bece19481_JaffaCakes118.exe 191efde5fff866d11803668bece19481_JaffaCakes118.exe PID 3500 wrote to memory of 1508 3500 191efde5fff866d11803668bece19481_JaffaCakes118.exe 191efde5fff866d11803668bece19481_JaffaCakes118.exe PID 3500 wrote to memory of 1508 3500 191efde5fff866d11803668bece19481_JaffaCakes118.exe 191efde5fff866d11803668bece19481_JaffaCakes118.exe PID 3876 wrote to memory of 2324 3876 commentsource.exe commentsource.exe PID 3876 wrote to memory of 2324 3876 commentsource.exe commentsource.exe PID 3876 wrote to memory of 2324 3876 commentsource.exe commentsource.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\191efde5fff866d11803668bece19481_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\191efde5fff866d11803668bece19481_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\191efde5fff866d11803668bece19481_JaffaCakes118.exe--46b75e72⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\commentsource.exe"C:\Windows\SysWOW64\commentsource.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\commentsource.exe--608537d02⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1508-5-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1508-9-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2324-11-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2324-12-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2324-15-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2324-16-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3500-0-0x0000000000590000-0x00000000005A1000-memory.dmpFilesize
68KB
-
memory/3500-4-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3500-3-0x0000000000590000-0x00000000005A1000-memory.dmpFilesize
68KB
-
memory/3876-6-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB