Analysis
-
max time kernel
2s -
max time network
7s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 02:01
Static task
static1
Behavioral task
behavioral1
Sample
ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe
-
Size
58KB
-
MD5
ac8ca6a89c097ad5ebe2ed376e52637c
-
SHA1
b7fb1ba2ad4b892b37f731a0d77d897e12e1305e
-
SHA256
5c4dc0a7ee6eda98aa684c59f2d26882dc904ea617eee7f3125b5ce6929e3fe7
-
SHA512
3188f569330e670da2528259b035a869cb4acbdb46f59a1aca37e82b4a5bd715994286a4acdec8116dde05870cc8c6d35bfc833322d9983abeec4faace18e2c2
-
SSDEEP
768:32Xyttp4KlRamjIMEI6M8obwTtmfvg3RylG1Bc+goe:mXy/pjRbjZwtmwEloBrNe
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exedescription pid process target process PID 2728 set thread context of 4236 2728 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
winver.exepid process 1052 winver.exe 1052 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 1052 winver.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exepid process 2728 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exeac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exewinver.exedescription pid process target process PID 2728 wrote to memory of 4236 2728 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe PID 2728 wrote to memory of 4236 2728 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe PID 2728 wrote to memory of 4236 2728 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe PID 2728 wrote to memory of 4236 2728 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe PID 2728 wrote to memory of 4236 2728 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe PID 2728 wrote to memory of 4236 2728 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe PID 4236 wrote to memory of 1052 4236 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe winver.exe PID 4236 wrote to memory of 1052 4236 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe winver.exe PID 4236 wrote to memory of 1052 4236 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe winver.exe PID 4236 wrote to memory of 1052 4236 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe winver.exe PID 1052 wrote to memory of 3464 1052 winver.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\winver.exewinver4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1052