Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 17:06
Static task
static1
Behavioral task
behavioral1
Sample
1bce8e19f6cd5a1be722a687ea00a81b_JaffaCakes118.exe
Resource
win7-20240611-en
windows7-x64
8 signatures
150 seconds
General
-
Target
1bce8e19f6cd5a1be722a687ea00a81b_JaffaCakes118.exe
-
Size
168KB
-
MD5
1bce8e19f6cd5a1be722a687ea00a81b
-
SHA1
193426bcae0b462b95e3080db55aa90b71c30555
-
SHA256
8b90a4fc2facead1c71323f5addce373cbb043985bdae943db55a330532f452c
-
SHA512
7366ecb25a31bd0dcc2508a5cd0e45c783ffef9ccf0937c3b150aaa0519a0e243dd3f3d9e53bd3a1fb463c9330e1200ec45ec95370fb4a4c994e34b7f34e9886
-
SSDEEP
3072:ZzFEhDHHIUjCgArLEZXApH3UHE360bSYUDpC:5F2HIU2Y9KEHE36uS5pC
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
wrapflow.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 wrapflow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 wrapflow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE wrapflow.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies wrapflow.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
wrapflow.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" wrapflow.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" wrapflow.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix wrapflow.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
wrapflow.exepid process 2260 wrapflow.exe 2260 wrapflow.exe 2260 wrapflow.exe 2260 wrapflow.exe 2260 wrapflow.exe 2260 wrapflow.exe 2260 wrapflow.exe 2260 wrapflow.exe 2260 wrapflow.exe 2260 wrapflow.exe 2260 wrapflow.exe 2260 wrapflow.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
1bce8e19f6cd5a1be722a687ea00a81b_JaffaCakes118.exepid process 1384 1bce8e19f6cd5a1be722a687ea00a81b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1bce8e19f6cd5a1be722a687ea00a81b_JaffaCakes118.exewrapflow.exedescription pid process target process PID 468 wrote to memory of 1384 468 1bce8e19f6cd5a1be722a687ea00a81b_JaffaCakes118.exe 1bce8e19f6cd5a1be722a687ea00a81b_JaffaCakes118.exe PID 468 wrote to memory of 1384 468 1bce8e19f6cd5a1be722a687ea00a81b_JaffaCakes118.exe 1bce8e19f6cd5a1be722a687ea00a81b_JaffaCakes118.exe PID 468 wrote to memory of 1384 468 1bce8e19f6cd5a1be722a687ea00a81b_JaffaCakes118.exe 1bce8e19f6cd5a1be722a687ea00a81b_JaffaCakes118.exe PID 32 wrote to memory of 2260 32 wrapflow.exe wrapflow.exe PID 32 wrote to memory of 2260 32 wrapflow.exe wrapflow.exe PID 32 wrote to memory of 2260 32 wrapflow.exe wrapflow.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bce8e19f6cd5a1be722a687ea00a81b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1bce8e19f6cd5a1be722a687ea00a81b_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1bce8e19f6cd5a1be722a687ea00a81b_JaffaCakes118.exe--7d48ce8c2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\wrapflow.exe"C:\Windows\SysWOW64\wrapflow.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wrapflow.exe--3e3a0aea2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/32-8-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/32-9-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/468-0-0x0000000002170000-0x0000000002181000-memory.dmpFilesize
68KB
-
memory/468-1-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/468-4-0x0000000002170000-0x0000000002181000-memory.dmpFilesize
68KB
-
memory/1384-5-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1384-6-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1384-14-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2260-12-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2260-13-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2260-18-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2260-19-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB