Analysis
-
max time kernel
140s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/03/2024, 07:08
Static task
static1
Behavioral task
behavioral1
Sample
1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe
-
Size
15KB
-
MD5
1bc5ac86fe53c6ef51a763c704eb36b6
-
SHA1
6409c5d206f6851829895c0887e5e85b7433c706
-
SHA256
fdfc903b97cdbfab6a3b152daf75bc2e0124fa1d561bb589505e2be5cc962f43
-
SHA512
f8ee14d99f71161e38032e2dbe4e4b55e18bf38d7c1dadb00d5cc61886b0bc054bc9a74b43f5913bdcd8114f37ce6a6cf34039b00321c2ed316c5ac8d7eac377
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY4hEuBmSN:hDXWipuE+K3/SSHgxmMISN
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2068 DEM60F4.exe 1828 DEMB941.exe 912 DEMF8B.exe 1940 DEM6623.exe 1260 DEMBC9B.exe 628 DEM12A6.exe -
Loads dropped DLL 6 IoCs
pid Process 2884 1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe 2068 DEM60F4.exe 1828 DEMB941.exe 912 DEMF8B.exe 1940 DEM6623.exe 1260 DEMBC9B.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2068 2884 1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe 29 PID 2884 wrote to memory of 2068 2884 1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe 29 PID 2884 wrote to memory of 2068 2884 1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe 29 PID 2884 wrote to memory of 2068 2884 1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe 29 PID 2068 wrote to memory of 1828 2068 DEM60F4.exe 33 PID 2068 wrote to memory of 1828 2068 DEM60F4.exe 33 PID 2068 wrote to memory of 1828 2068 DEM60F4.exe 33 PID 2068 wrote to memory of 1828 2068 DEM60F4.exe 33 PID 1828 wrote to memory of 912 1828 DEMB941.exe 35 PID 1828 wrote to memory of 912 1828 DEMB941.exe 35 PID 1828 wrote to memory of 912 1828 DEMB941.exe 35 PID 1828 wrote to memory of 912 1828 DEMB941.exe 35 PID 912 wrote to memory of 1940 912 DEMF8B.exe 37 PID 912 wrote to memory of 1940 912 DEMF8B.exe 37 PID 912 wrote to memory of 1940 912 DEMF8B.exe 37 PID 912 wrote to memory of 1940 912 DEMF8B.exe 37 PID 1940 wrote to memory of 1260 1940 DEM6623.exe 39 PID 1940 wrote to memory of 1260 1940 DEM6623.exe 39 PID 1940 wrote to memory of 1260 1940 DEM6623.exe 39 PID 1940 wrote to memory of 1260 1940 DEM6623.exe 39 PID 1260 wrote to memory of 628 1260 DEMBC9B.exe 41 PID 1260 wrote to memory of 628 1260 DEMBC9B.exe 41 PID 1260 wrote to memory of 628 1260 DEMBC9B.exe 41 PID 1260 wrote to memory of 628 1260 DEMBC9B.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1bc5ac86fe53c6ef51a763c704eb36b6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\DEM60F4.exe"C:\Users\Admin\AppData\Local\Temp\DEM60F4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\DEMB941.exe"C:\Users\Admin\AppData\Local\Temp\DEMB941.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\DEMF8B.exe"C:\Users\Admin\AppData\Local\Temp\DEMF8B.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Local\Temp\DEM6623.exe"C:\Users\Admin\AppData\Local\Temp\DEM6623.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\DEMBC9B.exe"C:\Users\Admin\AppData\Local\Temp\DEMBC9B.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\DEM12A6.exe"C:\Users\Admin\AppData\Local\Temp\DEM12A6.exe"7⤵
- Executes dropped EXE
PID:628
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5d25b92baa547b1282ce2a3a759c40420
SHA105333c9efe9660af2ab45dc6f3be5b77219a6be1
SHA256ef26550cbcfbdcb86fb5e573f1de7c0766f210fbd93357fc2ac46426430793bd
SHA51295f49c882f13b7aabe28b376eadd1e62dd79592777543b9520cf32c72db0d196856b70f80431093c875d8c17f581419fb29a96c39758ea0e618f868a9e54bd4d
-
Filesize
15KB
MD5886eb9174bd70e7a46e4089da5476477
SHA1d86042873f0cd93c47c378a84bf22002d8cd7bc1
SHA256ab623e2542c51a632ea590ca33d36493f71afc43622ff9c6c0441d5c157b40cb
SHA512eeeeaf23ecb493798c55cea5ab58d1555bcd26d7171a177ee09f7c25d625845bd762f22f3b3902977fc3b2282a632d6ee5d2cf77933be2983020d084ccbd9500
-
Filesize
15KB
MD5a2e21c044d4491250acb56959a2ef7cf
SHA13398265ca50f5d3b46f00c8e4469e167c3ba8900
SHA256e0cd83e5dba09d0ac2eda17622e7d44c01228570c03835e41e34094cc03e510f
SHA5124fb52c316a0c032137ba67e649a313d1c49384adbabd652f27c7336098e6b12f05bbfb68021dd55b89633b75c8b543d7046318ae826d8a25ecaddf79a847611e
-
Filesize
15KB
MD52fb4f35b79b82b8f7514abef7cbffbe3
SHA1e9229195b97db2935725c1b1d9b1337afb57dbfa
SHA2567b2fcc66bce0c8f3c342a6f0e63d50b376edf2955fd7ec5e04011498790a1df5
SHA512cdf8cf780583877f4a876974acbf929abb4cda7f9c8c4674a1e9f83947f2f79fab1357ee3952515a798e00df857a8f370d6b62698bd1744a4e79aadd292293a1
-
Filesize
15KB
MD51b02cb146c4a5591327e2aa4de4d818e
SHA1931631b80f2de067a389f85b004afc3e64358487
SHA2565738b999079bee39c9595ddd621a4f6bcaf1f5fdeb2fbd12c63e45fa22cea452
SHA5124af4863ae4680e6e70210cf2aeda2ba898f80f766a6444659f2072d4c717c33cb4fe56a32528abcc8b7d891dbcca2291131d94462ec9bbd6d9894813e5841035
-
Filesize
15KB
MD527a196665c15508c5975557dbf0f6a1a
SHA12489c7e9cf57dae739834063e271c4e79230b549
SHA256cc4ce2a5eaa6119cc53ed715340cfcd53208ea993a214c9370c918df20626858
SHA512d7bbbe8618c5afc974ecac7a1b7f1672931f30191a9a29df6ac82f493115f9a09279dda52d60aa7367a581ff698b63ef0b098d8c8d7a3c6ef20181a8caf46cc0