Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
03-04-2024 21:21
Behavioral task
behavioral1
Sample
a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe
Resource
win7-20240220-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe
Resource
win10v2004-20240226-en
8 signatures
150 seconds
General
-
Target
a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe
-
Size
160KB
-
MD5
a6f49268044adfb73e4f8ea088c3dcfa
-
SHA1
5b92442c8945f9edf38e8126fc89020f53246004
-
SHA256
5df09e43f7d1ec24ee6bfb27102dfbaf466c620613338d1a28c0cff86b128e3e
-
SHA512
57f0dea14fae90415722ec137c910148a2aeef0f6f101f8da6542ca61ca00edf8369b0020fc64bcc11c7cac37a5021bc7bb7af55f9605c9fea5622f1403d5a68
-
SSDEEP
1536:CEY+mFM2HXKZgi0Iksu+XM5/HtAQ9J6xph:JY+4MiIkLZJNAQ9J6v
Score
10/10
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3036-0-0x0000000000400000-0x0000000000428000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\A2CDC433 = "C:\\Users\\Admin\\AppData\\Roaming\\A2CDC433\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe 2724 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2724 winver.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exewinver.exedescription pid process target process PID 3036 wrote to memory of 2724 3036 a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe winver.exe PID 3036 wrote to memory of 2724 3036 a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe winver.exe PID 3036 wrote to memory of 2724 3036 a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe winver.exe PID 3036 wrote to memory of 2724 3036 a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe winver.exe PID 3036 wrote to memory of 2724 3036 a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe winver.exe PID 2724 wrote to memory of 1192 2724 winver.exe Explorer.EXE PID 2724 wrote to memory of 1068 2724 winver.exe taskhost.exe PID 2724 wrote to memory of 1168 2724 winver.exe Dwm.exe PID 2724 wrote to memory of 1192 2724 winver.exe Explorer.EXE
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1068
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a6f49268044adfb73e4f8ea088c3dcfa_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2724