Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29/03/2024, 18:56
Static task
static1
Behavioral task
behavioral1
Sample
2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe
-
Size
16KB
-
MD5
2a199d6f1d78544b189a3039a2e5327f
-
SHA1
aabe548e2279b1d62a0c05f1e9e248dcb8b77300
-
SHA256
1c0fb95388f6abdda01a52b238868e4be0716a3fc30e3f32aeb4c0695d3f085f
-
SHA512
b29a416d097fabf1d406107f48dd1f9767450da94a58629c96bf9f2b3b4f474e88eaf71565985b4c8a3a65ff6c897f6f9c527df254f3f9caf14b0e5ad30fe3cd
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlY2d:hDXWipuE+K3/SSHgxmlYu
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2620 DEM10E2.exe 2336 DEM6680.exe 2792 DEMBC8B.exe 2320 DEM11DC.exe 1364 DEM671C.exe 1968 DEMBC4D.exe -
Loads dropped DLL 6 IoCs
pid Process 2092 2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe 2620 DEM10E2.exe 2336 DEM6680.exe 2792 DEMBC8B.exe 2320 DEM11DC.exe 1364 DEM671C.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2620 2092 2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe 29 PID 2092 wrote to memory of 2620 2092 2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe 29 PID 2092 wrote to memory of 2620 2092 2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe 29 PID 2092 wrote to memory of 2620 2092 2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe 29 PID 2620 wrote to memory of 2336 2620 DEM10E2.exe 31 PID 2620 wrote to memory of 2336 2620 DEM10E2.exe 31 PID 2620 wrote to memory of 2336 2620 DEM10E2.exe 31 PID 2620 wrote to memory of 2336 2620 DEM10E2.exe 31 PID 2336 wrote to memory of 2792 2336 DEM6680.exe 35 PID 2336 wrote to memory of 2792 2336 DEM6680.exe 35 PID 2336 wrote to memory of 2792 2336 DEM6680.exe 35 PID 2336 wrote to memory of 2792 2336 DEM6680.exe 35 PID 2792 wrote to memory of 2320 2792 DEMBC8B.exe 37 PID 2792 wrote to memory of 2320 2792 DEMBC8B.exe 37 PID 2792 wrote to memory of 2320 2792 DEMBC8B.exe 37 PID 2792 wrote to memory of 2320 2792 DEMBC8B.exe 37 PID 2320 wrote to memory of 1364 2320 DEM11DC.exe 39 PID 2320 wrote to memory of 1364 2320 DEM11DC.exe 39 PID 2320 wrote to memory of 1364 2320 DEM11DC.exe 39 PID 2320 wrote to memory of 1364 2320 DEM11DC.exe 39 PID 1364 wrote to memory of 1968 1364 DEM671C.exe 41 PID 1364 wrote to memory of 1968 1364 DEM671C.exe 41 PID 1364 wrote to memory of 1968 1364 DEM671C.exe 41 PID 1364 wrote to memory of 1968 1364 DEM671C.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\DEM10E2.exe"C:\Users\Admin\AppData\Local\Temp\DEM10E2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\DEM6680.exe"C:\Users\Admin\AppData\Local\Temp\DEM6680.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\DEMBC8B.exe"C:\Users\Admin\AppData\Local\Temp\DEMBC8B.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\DEM11DC.exe"C:\Users\Admin\AppData\Local\Temp\DEM11DC.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\DEM671C.exe"C:\Users\Admin\AppData\Local\Temp\DEM671C.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\DEMBC4D.exe"C:\Users\Admin\AppData\Local\Temp\DEMBC4D.exe"7⤵
- Executes dropped EXE
PID:1968
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD54f580111965e4033377e90d736a637be
SHA18b1afef6b392dac31bc071144141cb0224ba9ee7
SHA25687b64c5663657c34009616618a790688af7835ac9f20c2125185174f26114924
SHA5126c13357fcf34a153660cd4123f06463bcb073a4d56e142768377b2e24eeb360d584fda3c036802997235cb345cf786fc19c789ac55d8f012452ebb209d3ee195
-
Filesize
16KB
MD5f622aaf0d0bb1221b5e461bc399f5628
SHA1ec207c017570a17519e336ee6f38d6824315e7e2
SHA2569bc833fd9d8ea867e2003e14ea8ec0a5c6ce2e629090c7f35dc6b40b3ce84a43
SHA5125ffdd0515d42ecbae676a7516e39eac31bb311da29c42c9124e62b52f1a24d68ce87dfa9428ba5d706af7eafacb96018ab41d89a43ca06f9416694a6bcfe9813
-
Filesize
16KB
MD55c34dc96755d80a3c025930c9e7ced76
SHA177da55bdfee4fd7a36cbdfb6066150f26de8f469
SHA256ad1db3c9e3d02f68fef5209d9f7de67cc2848a1a10833292bcb24abae620f2b1
SHA51249c9ff88024e23faaf4f6a24a7cf36c2cae3a57f027d58ec1221efd5583b5c0102404a5ab9ee5b4c4cbaecc1af7891acc001639a5b0d30e09588c4696662b39a
-
Filesize
16KB
MD5e11bb021eeb805dea2b7d1e3e9042692
SHA163a18a1786aae9108fa60446b63a37a67f9c99f2
SHA25686b53142f656d7ad5368851e754902236f69d9e859647a3a151432d0b9246a9a
SHA51215ac808a5930b9cada19efede569de21a0559f5b864b20633a82d03c66b357b7a1e4067715271d142bb9f7776c67a5c5c078c159a534596c3b16b3297d76028a
-
Filesize
16KB
MD5fd5a1fa5f0e87e02ec5d286cbf502aa1
SHA1dcf325d5ac7cc6780059f1e447e4e96b344130b1
SHA2564aa1d651a22d09d36b047e4a2969f5c7311fef2ef618289280d78e748a2471e0
SHA512344360b6b77e4deca9421bf961e58287db9d6e44f733f2e487090c96f6c6982cd85bcc84c8e5bfad4905d2aa5aa9b880e08fd37e322d73f9a2dc37467426eaec
-
Filesize
16KB
MD569d07ef0a49b819af2f29845ef926eb3
SHA1c42e288c538238b16422d1101245b804d1c36e55
SHA256c95e6e4e17f4d9a50ff0f3c75f6e76d1a8a5fd1feb2e957879f47292a843ef82
SHA512dc768bb226272dbb90126fc3fbe5adc655a5444df64732844b07f304a12b73b383cffbfb16d1480b083ef1362e3801f747893b137775b1d166e7903125db8967