Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/03/2024, 07:50
Static task
static1
Behavioral task
behavioral1
Sample
00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe
-
Size
4.3MB
-
MD5
00ce7682023686f4c1336fdcfccf50d2
-
SHA1
9644ba92a81872785be50ea81de3a74eebd9fc10
-
SHA256
4bcd7342dcbd048d14c7eadb7c42a467895ffacd5ebd8af69e9643d1866b3217
-
SHA512
02b0785fc497700984fc477ca4cce8a13105341f7b4b1ee0287a0fa1d2797eb3ba1a8843715787348a34dcb6d5b87b02d8f48d657646dd7de30c02f26caba39b
-
SSDEEP
98304:p7SpxSV7vi8Eody/CKKKXbEN5bB+PU+zWveiX:p7SpxGzi89dGV5g5b4VzXiX
Malware Config
Signatures
-
resource behavioral1/files/0x0007000000015659-34.dat -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1948 wrote to memory of 3032 1948 00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe 28 PID 1948 wrote to memory of 3032 1948 00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe 28 PID 1948 wrote to memory of 3032 1948 00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe 28 PID 1948 wrote to memory of 3032 1948 00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe 28 PID 3032 wrote to memory of 2488 3032 cmd.exe 30 PID 3032 wrote to memory of 2488 3032 cmd.exe 30 PID 3032 wrote to memory of 2488 3032 cmd.exe 30 PID 3032 wrote to memory of 2488 3032 cmd.exe 30 PID 2488 wrote to memory of 2500 2488 cmd.exe 32 PID 2488 wrote to memory of 2500 2488 cmd.exe 32 PID 2488 wrote to memory of 2500 2488 cmd.exe 32 PID 2488 wrote to memory of 2500 2488 cmd.exe 32 PID 2500 wrote to memory of 2316 2500 WScript.exe 33 PID 2500 wrote to memory of 2316 2500 WScript.exe 33 PID 2500 wrote to memory of 2316 2500 WScript.exe 33 PID 2500 wrote to memory of 2316 2500 WScript.exe 33 PID 2316 wrote to memory of 2496 2316 cmd.exe 35 PID 2316 wrote to memory of 2496 2316 cmd.exe 35 PID 2316 wrote to memory of 2496 2316 cmd.exe 35 PID 2316 wrote to memory of 2496 2316 cmd.exe 35 PID 2316 wrote to memory of 240 2316 cmd.exe 36 PID 2316 wrote to memory of 240 2316 cmd.exe 36 PID 2316 wrote to memory of 240 2316 cmd.exe 36 PID 2316 wrote to memory of 240 2316 cmd.exe 36 PID 2316 wrote to memory of 2556 2316 cmd.exe 37 PID 2316 wrote to memory of 2556 2316 cmd.exe 37 PID 2316 wrote to memory of 2556 2316 cmd.exe 37 PID 2316 wrote to memory of 2556 2316 cmd.exe 37 PID 2316 wrote to memory of 2388 2316 cmd.exe 38 PID 2316 wrote to memory of 2388 2316 cmd.exe 38 PID 2316 wrote to memory of 2388 2316 cmd.exe 38 PID 2316 wrote to memory of 2388 2316 cmd.exe 38 PID 2316 wrote to memory of 2396 2316 cmd.exe 39 PID 2316 wrote to memory of 2396 2316 cmd.exe 39 PID 2316 wrote to memory of 2396 2316 cmd.exe 39 PID 2316 wrote to memory of 2396 2316 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\lettera\prog\ini.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\lettera\prog\ini.bat" HIDE-BOSS3⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\lettera\prog\RunVBS.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\lettera\prog\ini.bat" BOSS"5⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f6⤵PID:2496
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f6⤵PID:240
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f6⤵PID:2556
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f6⤵PID:2388
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v TaskbarGlomLevel /t REG_DWORD /d 2 /f6⤵PID:2396
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98B
MD56ba5f2c66500f7c255886fc8fe1024ce
SHA10b74e63957018f065e77c91ee1ca838480534e17
SHA256fbfe882314562a3b734d59112b139e70ddd4ae91ef6292032b251ff368fa475d
SHA512d594cf7dd31e46ea5e6c39d34c2e4b6e1241ef665367178346aaceafa073b379d0058c45e922ae12006ed8e4a72cae64ccde1f90fe228cc6ff7abccc552849b9
-
Filesize
1KB
MD5d9806cc5878f4c4df79094a771a57991
SHA1635a7d4af9b43054b750e04ecdf14f17ec2b218f
SHA2565cd72ab78086b4980871f5a5208909ee18e88498d28d7878d27a24d932536db0
SHA512e051654a48dd1040d85aefc316f3c2a5e949600199f93e915e79cf874e2c2ea18062293678eeef85ceb69a25ca73f3ca617e94246893d09bc8f14b1edea64a6d
-
Filesize
2.9MB
MD5936ae0760d92e80cbd5aef52950219f8
SHA1048f390894bd63abdc2a9984c03818b55510ca5c
SHA256747b3d3db26b9c9dbc05f60f786fb8a7fa14526e8be110b95cf7fb13807c1e2d
SHA512449b4a4b470469eb0a88ad4ed5127be9fb9c34a4c0075e2298b5580a601f30166f17ada7842aa77c1b413c942b5563c9668cb258ca7b9d9cac805399be18f729
-
Filesize
7.1MB
MD5880d94d79321d0ac19540779ec386f91
SHA128518b27e583cef182a77014c8b4becdccd558de
SHA256293011f58b23fb22fd5b568e34593ea5712870616b0e60b1c0be2dac3c788566
SHA512b6e461f9f3c0eb4e0282ee4f220197ba416c3793b9dffe42c4c5c86b8231adabc5bddda9d1267e57150b25b046e3faa4e7a0d81cedf0278a64c09b45aa55e939