Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 19:02
Static task
static1
Behavioral task
behavioral1
Sample
a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
a414244ecb89d5bdc1a0ece12bb2c2a9
-
SHA1
fb2c07209b248f612f48a898f449da88b2624fd9
-
SHA256
59822012b04406a3df0f5893619e6129398134fc922d53ff1f1c9a6daf803f5b
-
SHA512
f0468ac67445f92a55d1f1511a169f8cada6235209dea67b133c9010201f220d4165e16d8bc50a5385f098d8733bac3ea91f4f270ea605e5768d20e40cc927e9
-
SSDEEP
24576:8uPmLDUMihIXCE5y8FyDgy7dml+i2rYNapO:8u+LIIX7Y8t+iiYN2O
Malware Config
Signatures
-
Executes dropped EXE 11 IoCs
pid Process 2384 Isass.exe 2192 Isass.exe 2672 Isass.exe 2620 Isass.exe 2624 Isass.exe 2532 Isass.exe 1108 Isass.exe 2716 Isass.exe 308 Isass.exe 1824 Isass.exe 2124 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe -
Loads dropped DLL 20 IoCs
pid Process 1720 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 1720 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 1720 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 1720 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2608 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2608 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2256 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2256 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2480 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2480 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2476 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2476 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2908 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2908 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2268 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 1988 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 1584 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 1824 Isass.exe 2384 Isass.exe 2384 Isass.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 1720 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2384 Isass.exe 2192 Isass.exe 2192 Isass.exe 2192 Isass.exe 2608 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2672 Isass.exe 2672 Isass.exe 2672 Isass.exe 2256 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2620 Isass.exe 2620 Isass.exe 2620 Isass.exe 2480 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2624 Isass.exe 2624 Isass.exe 2624 Isass.exe 2476 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2532 Isass.exe 2532 Isass.exe 2532 Isass.exe 2908 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 1108 Isass.exe 1108 Isass.exe 1108 Isass.exe 2268 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2716 Isass.exe 2716 Isass.exe 2716 Isass.exe 1988 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 308 Isass.exe 308 Isass.exe 308 Isass.exe 1584 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 1824 Isass.exe 1824 Isass.exe 1824 Isass.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2124 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2124 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 2124 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1720 wrote to memory of 2384 1720 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 28 PID 1720 wrote to memory of 2384 1720 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 28 PID 1720 wrote to memory of 2384 1720 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 28 PID 1720 wrote to memory of 2384 1720 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 28 PID 1720 wrote to memory of 2192 1720 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 29 PID 1720 wrote to memory of 2192 1720 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 29 PID 1720 wrote to memory of 2192 1720 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 29 PID 1720 wrote to memory of 2192 1720 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 29 PID 2192 wrote to memory of 2608 2192 Isass.exe 30 PID 2192 wrote to memory of 2608 2192 Isass.exe 30 PID 2192 wrote to memory of 2608 2192 Isass.exe 30 PID 2192 wrote to memory of 2608 2192 Isass.exe 30 PID 2608 wrote to memory of 2672 2608 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 31 PID 2608 wrote to memory of 2672 2608 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 31 PID 2608 wrote to memory of 2672 2608 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 31 PID 2608 wrote to memory of 2672 2608 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 31 PID 2672 wrote to memory of 2256 2672 Isass.exe 32 PID 2672 wrote to memory of 2256 2672 Isass.exe 32 PID 2672 wrote to memory of 2256 2672 Isass.exe 32 PID 2672 wrote to memory of 2256 2672 Isass.exe 32 PID 2256 wrote to memory of 2620 2256 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 33 PID 2256 wrote to memory of 2620 2256 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 33 PID 2256 wrote to memory of 2620 2256 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 33 PID 2256 wrote to memory of 2620 2256 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 33 PID 2620 wrote to memory of 2480 2620 Isass.exe 34 PID 2620 wrote to memory of 2480 2620 Isass.exe 34 PID 2620 wrote to memory of 2480 2620 Isass.exe 34 PID 2620 wrote to memory of 2480 2620 Isass.exe 34 PID 2480 wrote to memory of 2624 2480 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 35 PID 2480 wrote to memory of 2624 2480 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 35 PID 2480 wrote to memory of 2624 2480 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 35 PID 2480 wrote to memory of 2624 2480 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 35 PID 2624 wrote to memory of 2476 2624 Isass.exe 36 PID 2624 wrote to memory of 2476 2624 Isass.exe 36 PID 2624 wrote to memory of 2476 2624 Isass.exe 36 PID 2624 wrote to memory of 2476 2624 Isass.exe 36 PID 2476 wrote to memory of 2532 2476 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 37 PID 2476 wrote to memory of 2532 2476 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 37 PID 2476 wrote to memory of 2532 2476 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 37 PID 2476 wrote to memory of 2532 2476 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 37 PID 2532 wrote to memory of 2908 2532 Isass.exe 38 PID 2532 wrote to memory of 2908 2532 Isass.exe 38 PID 2532 wrote to memory of 2908 2532 Isass.exe 38 PID 2532 wrote to memory of 2908 2532 Isass.exe 38 PID 2908 wrote to memory of 1108 2908 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 39 PID 2908 wrote to memory of 1108 2908 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 39 PID 2908 wrote to memory of 1108 2908 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 39 PID 2908 wrote to memory of 1108 2908 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 39 PID 1108 wrote to memory of 2268 1108 Isass.exe 40 PID 1108 wrote to memory of 2268 1108 Isass.exe 40 PID 1108 wrote to memory of 2268 1108 Isass.exe 40 PID 1108 wrote to memory of 2268 1108 Isass.exe 40 PID 2268 wrote to memory of 2716 2268 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 41 PID 2268 wrote to memory of 2716 2268 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 41 PID 2268 wrote to memory of 2716 2268 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 41 PID 2268 wrote to memory of 2716 2268 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 41 PID 2716 wrote to memory of 1988 2716 Isass.exe 42 PID 2716 wrote to memory of 1988 2716 Isass.exe 42 PID 2716 wrote to memory of 1988 2716 Isass.exe 42 PID 2716 wrote to memory of 1988 2716 Isass.exe 42 PID 1988 wrote to memory of 308 1988 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 43 PID 1988 wrote to memory of 308 1988 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 43 PID 1988 wrote to memory of 308 1988 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 43 PID 1988 wrote to memory of 308 1988 a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2384
-
-
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"7⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"9⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"11⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"13⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"15⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:308 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"17⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1584 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
452KB
MD5276c1b7f46b8488344e85387c9ce6e80
SHA12901f43aa439f48baf786018696546e580ba9880
SHA256608c5265075bacf05353a4d816fe815ec1ba2e95bb88313d5cf38655274841be
SHA5125e02be9cfd27c3de2e17618958c5b82b38ef402ca59c260a1c93e2b0ac30871be29f43b3f160c8adb9c56061f5138db33a07e172c7c445c62fe0cd78f5fd1c8f
-
Filesize
624KB
MD5dedd8708721873baf3d803c3554dc7dd
SHA1070047ee6b6fe52be226009c817370f6e69f9d31
SHA256529b1a8217a932c507302ad85cd050d294316c7155122026ea11ef0233397685
SHA512913bac5400e1fcdff288521a1832330566d2c136e899f4a60874509dd0837d09b3b474af57da951fd50f1a8abdad2edfd0a463827b4f1b7dbbfd5a9cf7d3fd92