Analysis
-
max time kernel
91s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 00:23
Static task
static1
Behavioral task
behavioral1
Sample
9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/cwehlkdexhf.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/cwehlkdexhf.dll
Resource
win10v2004-20240226-en
General
-
Target
9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe
-
Size
252KB
-
MD5
9b20c6a0c05584185da23f0892a7a982
-
SHA1
dfc1531489c4a803b0125c95b93609989dc3b138
-
SHA256
53fb1511812b33448fb51c4a6a7f4095600f2d30251546466ab1d401191fa59a
-
SHA512
2321b765bc891e89970457a47886dba583d68d588ac163d65c1dc1188fc2cd2935497a0a1413a5f23daa5628ffd17e252b121a0e856332aa5de155b3e56bedae
-
SSDEEP
3072:wBynOpL12riocLMRcjGk4bKcahjDTAZ2rhS1FhySMsQuK89M2NvkskmtjIk9qcCX:wBlL/cRzZ5aVTA2khy3MRks91Xxazt
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exepid process 4972 9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1568 4972 WerFault.exe 9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exedescription pid process target process PID 4972 wrote to memory of 1780 4972 9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe 9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe PID 4972 wrote to memory of 1780 4972 9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe 9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe PID 4972 wrote to memory of 1780 4972 9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe 9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9b20c6a0c05584185da23f0892a7a982_JaffaCakes118.exe"2⤵PID:1780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 9802⤵
- Program crash
PID:1568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4972 -ip 49721⤵PID:3488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5201dec4f5cfe9c448804d504da2b9f50
SHA14a565158eb3ee42694427374e11fc052a0bd3dad
SHA256f70b1ff393e0aaf8c737ec09a41598d9e51fbdde8bb19a7051aecc8d0752c965
SHA51252771f45ca9d51fe84d125fcb741ea9485ffef8620c5bf7c4cf233f66540dc27e48bc1b83d7a16dfd2faaafa66903dd7504620721385ce106addbde15a1bac82