Analysis
-
max time kernel
131s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/03/2024, 13:33
Static task
static1
Behavioral task
behavioral1
Sample
06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe
-
Size
15KB
-
MD5
06d39b248619f7fda87fc5847d7a6ef2
-
SHA1
9b80ecd44a4c26020bd38bc75358ff9d684e1477
-
SHA256
a8054060ea7a103dc8d2943aea79c5cfed3645c23c1027fcfd042e6d14daf847
-
SHA512
b8d11cd602a5ef4bfd7419950666e5c80f3023070554b4825e41d8e37a258f4ec5811942a0d28c5315eb49633da66cab30c90fc6c292fa211a1932cfaff7a8a2
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYvAz2d:hDXWipuE+K3/SSHgxm4U
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2624 DEM147A.exe 2556 DEM69EA.exe 2688 DEMBFC6.exe 2280 DEM14E8.exe 2028 DEM6A38.exe 2764 DEMBF97.exe -
Loads dropped DLL 6 IoCs
pid Process 1836 06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe 2624 DEM147A.exe 2556 DEM69EA.exe 2688 DEMBFC6.exe 2280 DEM14E8.exe 2028 DEM6A38.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1836 wrote to memory of 2624 1836 06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe 29 PID 1836 wrote to memory of 2624 1836 06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe 29 PID 1836 wrote to memory of 2624 1836 06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe 29 PID 1836 wrote to memory of 2624 1836 06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe 29 PID 2624 wrote to memory of 2556 2624 DEM147A.exe 31 PID 2624 wrote to memory of 2556 2624 DEM147A.exe 31 PID 2624 wrote to memory of 2556 2624 DEM147A.exe 31 PID 2624 wrote to memory of 2556 2624 DEM147A.exe 31 PID 2556 wrote to memory of 2688 2556 DEM69EA.exe 35 PID 2556 wrote to memory of 2688 2556 DEM69EA.exe 35 PID 2556 wrote to memory of 2688 2556 DEM69EA.exe 35 PID 2556 wrote to memory of 2688 2556 DEM69EA.exe 35 PID 2688 wrote to memory of 2280 2688 DEMBFC6.exe 37 PID 2688 wrote to memory of 2280 2688 DEMBFC6.exe 37 PID 2688 wrote to memory of 2280 2688 DEMBFC6.exe 37 PID 2688 wrote to memory of 2280 2688 DEMBFC6.exe 37 PID 2280 wrote to memory of 2028 2280 DEM14E8.exe 39 PID 2280 wrote to memory of 2028 2280 DEM14E8.exe 39 PID 2280 wrote to memory of 2028 2280 DEM14E8.exe 39 PID 2280 wrote to memory of 2028 2280 DEM14E8.exe 39 PID 2028 wrote to memory of 2764 2028 DEM6A38.exe 41 PID 2028 wrote to memory of 2764 2028 DEM6A38.exe 41 PID 2028 wrote to memory of 2764 2028 DEM6A38.exe 41 PID 2028 wrote to memory of 2764 2028 DEM6A38.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06d39b248619f7fda87fc5847d7a6ef2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\DEM147A.exe"C:\Users\Admin\AppData\Local\Temp\DEM147A.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\DEM69EA.exe"C:\Users\Admin\AppData\Local\Temp\DEM69EA.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\DEMBFC6.exe"C:\Users\Admin\AppData\Local\Temp\DEMBFC6.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\DEM14E8.exe"C:\Users\Admin\AppData\Local\Temp\DEM14E8.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\DEM6A38.exe"C:\Users\Admin\AppData\Local\Temp\DEM6A38.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\DEMBF97.exe"C:\Users\Admin\AppData\Local\Temp\DEMBF97.exe"7⤵
- Executes dropped EXE
PID:2764
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5dc6a0447edbfd0a9ecf39150e5643170
SHA15de4d159a577d3742e36601dbd563bd775e1826e
SHA256008d4bc550e2d2527bb019d3b03c6597ee44c38bfa5ea078c9b85a3e032c3f51
SHA5126eb95fe022f7885a8c2676a2b40047e4fd360b31f524a22febe7ef75af6449140653c84359c5ab25a71245944d7137b0c268afc2911bec20eb7e390e6acffac2
-
Filesize
15KB
MD580e1a33b6dc417bffa0f9f9b85ce9fe3
SHA12a1df707db718186d67dffef60cb8182abc46ca5
SHA25615a0d0bbfe03668f2111be7c6f72ff19e70fc56f9db4b9fa8a3d500b12663806
SHA512421b8720901cf7be9decc634b4f44e773a9207d16a6a9204caa650c6474a2df633aa02f151d3d123749ca71da13ed457774efae8086e4977f6b0fa1c00dfd209
-
Filesize
15KB
MD5296c45af1ca00b215e9ba14b94bff9df
SHA1f7384a3117eea381da46788978a4ac02a49555a0
SHA256f9c3b7dde56ccd5cf1b811051e22b3278c07e46109db51f7a8306bfaafa4aec4
SHA51290a7bb9fb4aadfd02c062527ff40e4e07a68b2f9b5384545d1bc48c2c3b44578736e713b439b297baf345b3d2f3887b108776179393a62b36df16f2dfe44364e
-
Filesize
15KB
MD5a6997e8858fd9ccb9adfa7d9108f1cf2
SHA1e1839638a0adadff2aaf635193443981e0f0f881
SHA25682b6f274c79d5ffd058c3e3174449a1a18066ae88740ef60b8b7f19e9371f969
SHA512b25322bb7361108bfd638daf4ed5a5de838488f73c7862e937e94828063fb2059d78b4ab4c09123549167d0320b97018f864836481d5ab5dff9c1051e3eb746e
-
Filesize
15KB
MD5430cf4e017c91638e638c56a4a609cc5
SHA1c0d2dbe8427023fcbaeb026f948eb78cd1c7da80
SHA25624faa394a70597bcc5e4bbde2dc7eb737fd1512b1fcf5b382163c088b7f65e99
SHA51286582d43b97d976032d2bcef07d329ce95b8fa87a92f1a23027771446aabc6b238beb8d5f2c7fb961cd7d9043ff3fffcf0f80080f6f96ecdf449f4d621937582
-
Filesize
15KB
MD523f1b19b804c4b3457ee31ff90fc9676
SHA16833706725459c1b8cd0478d9a007e3265389ea1
SHA256d5a0c87c9d29eed377c802cd25e7d00c04c1756c7e215f2bf37c991886210e0d
SHA512c0b3b2c81485b750754edd97e56180ab6f3a12ebc351c2b855dd55ddf511333e84ecb4803af1f99272b5818b28d69d8169038fb6f7df89ecf636c17c29e68f12