Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 23:49
Static task
static1
Behavioral task
behavioral1
Sample
130eaea4dc821baa7927ba07ee7ede0c_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
130eaea4dc821baa7927ba07ee7ede0c_JaffaCakes118.exe
Resource
win10v2004-20231215-en
General
-
Target
130eaea4dc821baa7927ba07ee7ede0c_JaffaCakes118.exe
-
Size
20KB
-
MD5
130eaea4dc821baa7927ba07ee7ede0c
-
SHA1
72d95f31951a97bfa24cad8faa8a9061079c5b47
-
SHA256
08539e3831c9d5f42dd913a6df1fb8146d2ba60bec231be6aa751c1f71100c04
-
SHA512
326e98d1ea3d7f9c21a7a65469abf4e344c20d0db06facdeef69b9db2bd84da45a94213eb20e7d8604cc286547878822fb0079b37cef6392300b1d37a94c1e35
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PSJW:hDXWipuE+K3/SSHgxmHZPS4
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2532 DEMC9E.exe 2600 DEM61EE.exe 1432 DEMB74E.exe 1528 DEMD4A.exe 2832 DEM62B9.exe 2068 DEMB7EA.exe -
Loads dropped DLL 6 IoCs
pid Process 2944 130eaea4dc821baa7927ba07ee7ede0c_JaffaCakes118.exe 2532 DEMC9E.exe 2600 DEM61EE.exe 1432 DEMB74E.exe 1528 DEMD4A.exe 2832 DEM62B9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2944 wrote to memory of 2532 2944 130eaea4dc821baa7927ba07ee7ede0c_JaffaCakes118.exe 29 PID 2944 wrote to memory of 2532 2944 130eaea4dc821baa7927ba07ee7ede0c_JaffaCakes118.exe 29 PID 2944 wrote to memory of 2532 2944 130eaea4dc821baa7927ba07ee7ede0c_JaffaCakes118.exe 29 PID 2944 wrote to memory of 2532 2944 130eaea4dc821baa7927ba07ee7ede0c_JaffaCakes118.exe 29 PID 2532 wrote to memory of 2600 2532 DEMC9E.exe 31 PID 2532 wrote to memory of 2600 2532 DEMC9E.exe 31 PID 2532 wrote to memory of 2600 2532 DEMC9E.exe 31 PID 2532 wrote to memory of 2600 2532 DEMC9E.exe 31 PID 2600 wrote to memory of 1432 2600 DEM61EE.exe 35 PID 2600 wrote to memory of 1432 2600 DEM61EE.exe 35 PID 2600 wrote to memory of 1432 2600 DEM61EE.exe 35 PID 2600 wrote to memory of 1432 2600 DEM61EE.exe 35 PID 1432 wrote to memory of 1528 1432 DEMB74E.exe 37 PID 1432 wrote to memory of 1528 1432 DEMB74E.exe 37 PID 1432 wrote to memory of 1528 1432 DEMB74E.exe 37 PID 1432 wrote to memory of 1528 1432 DEMB74E.exe 37 PID 1528 wrote to memory of 2832 1528 DEMD4A.exe 39 PID 1528 wrote to memory of 2832 1528 DEMD4A.exe 39 PID 1528 wrote to memory of 2832 1528 DEMD4A.exe 39 PID 1528 wrote to memory of 2832 1528 DEMD4A.exe 39 PID 2832 wrote to memory of 2068 2832 DEM62B9.exe 41 PID 2832 wrote to memory of 2068 2832 DEM62B9.exe 41 PID 2832 wrote to memory of 2068 2832 DEM62B9.exe 41 PID 2832 wrote to memory of 2068 2832 DEM62B9.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\130eaea4dc821baa7927ba07ee7ede0c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\130eaea4dc821baa7927ba07ee7ede0c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\DEMC9E.exe"C:\Users\Admin\AppData\Local\Temp\DEMC9E.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\DEM61EE.exe"C:\Users\Admin\AppData\Local\Temp\DEM61EE.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\DEMB74E.exe"C:\Users\Admin\AppData\Local\Temp\DEMB74E.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\DEMD4A.exe"C:\Users\Admin\AppData\Local\Temp\DEMD4A.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\DEM62B9.exe"C:\Users\Admin\AppData\Local\Temp\DEM62B9.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\DEMB7EA.exe"C:\Users\Admin\AppData\Local\Temp\DEMB7EA.exe"7⤵
- Executes dropped EXE
PID:2068
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD53bdea5e311644dffb86c3dbb3db07c48
SHA18bd49ce71c8cb1753e1cf7c0155f53597a231cb3
SHA256bd1d860385d034679dcfc290050dcbd6056abffb9c374f86383fbe228dde294c
SHA5124d01de0cf27379423b4b3fe9e535adb249b7bcc9f1b8271e3af4f0e377f458fcc63db2c078ef5a1c46bb9c9e1d83df477bc091ed5b45c3cc92dbb3015634c4b8
-
Filesize
20KB
MD5c34bd6f2cc40708b1b6a9edba8b801ae
SHA10a8b360afca7368018dd53aa502bd023a504ec21
SHA25604aab92bdd08d72654af4366e93ff939c1546c7ab6cd0646fa7ef81a1b632177
SHA512d052cc6082cd00610ebea6f0ec95ffc03cbf3a528978d2ade707edd62e519f29525c0c44befca51bbe6dac64bac3dd350a7eff5368f07c14421a274b152386d8
-
Filesize
20KB
MD546a8e5d443914a2bb71a37c7142c6e48
SHA16c1429a6ace4132692fc8339a03ea17fd904dced
SHA256244d5ddacf36aa50b8d967c99a90a5510acd543df894755f2d1f112b77285897
SHA5128830d0ff25992c34964f75c89e2ffad995b1d03d14feb5e4b4f6c5eb8e2fd8aac1a100c2ecbfa6843128c98a58d3af01573fa2868662ab3c32515bb2948beabd
-
Filesize
20KB
MD57b323716774426e2133fa04900a48fa5
SHA1e9020c075a6acb3a64661addf1b4f638ca91adec
SHA2561bb6a41981ee9d3f4ac11b99faca2e893ef338bc311a7fbb6792b0386bd46e5a
SHA51263873b23bd5c3766e1ce59a8fda3ace1058f5c26b759948061ae745f8d7bdeb692745e4ec2207490c84912efb9f85a45e77b7bf8dbbf39334248d755910570ce
-
Filesize
20KB
MD54968cc1cff31bd255d30eb721b2b0aa5
SHA164d5c1d2f7eed5702fdfa5b7143e1dfc68a62bf9
SHA256349e2cb896127b268b3fff510abc1daf34920ac3b99357f09cf1a21d72ab7d95
SHA5125e77e4946f55a5950ecc9a94496c1e44bfab4b30e8d178344a9c76b9b8cb628950e4e74557f1d3074d1989d740ce6a60c4579a049287f32bc8e9886e28d52987
-
Filesize
20KB
MD5d187cf67f07c8c901b29f8df62d6a9b2
SHA1e21b3c8c4a9be64224cce8fbc2ba9e788719fc2e
SHA25640152ab15045963f80d8cf1395cca82ddd729238df8adc50ef261cf4aa7b1d61
SHA512ab7d443a8a16c8fe8d37ed1f99c67a9377ac69dbd3ea753a04c4d762545b6f03598e4d0afc8b9311e58cd69298ccebf63b69ea7e460927a28a6855502faf8c3e