Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04-04-2024 09:40
Behavioral task
behavioral1
Sample
b4fcb9fe40178e8127f061a9a27065e5_JaffaCakes118.exe
Resource
win7-20240220-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
b4fcb9fe40178e8127f061a9a27065e5_JaffaCakes118.exe
Resource
win10v2004-20231215-en
8 signatures
150 seconds
General
-
Target
b4fcb9fe40178e8127f061a9a27065e5_JaffaCakes118.exe
-
Size
160KB
-
MD5
b4fcb9fe40178e8127f061a9a27065e5
-
SHA1
46b79426b483acba7dfb74edaa68816334d35e31
-
SHA256
3442bd40c33f50513f445ffaf592d72a59648de8e5b864915f7fc9ba7cf9bb24
-
SHA512
961cf71fd55c0d095812629e3ac7655d471479a8218762c02ab4f22862e77f06a58b81c21774cf610b78efa1db056def08f27331f8b86b8f9156973696e6d0f1
-
SSDEEP
1536:uEY+mFM2HXKZgi0Iksu+XM5/HtAQ9J6xph:lY+4MiIkLZJNAQ9J6v
Score
10/10
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2204-0-0x0000000000400000-0x0000000000428000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\9F2B991A = "C:\\Users\\Admin\\AppData\\Roaming\\9F2B991A\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe 2700 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2700 winver.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b4fcb9fe40178e8127f061a9a27065e5_JaffaCakes118.exewinver.exedescription pid process target process PID 2204 wrote to memory of 2700 2204 b4fcb9fe40178e8127f061a9a27065e5_JaffaCakes118.exe winver.exe PID 2204 wrote to memory of 2700 2204 b4fcb9fe40178e8127f061a9a27065e5_JaffaCakes118.exe winver.exe PID 2204 wrote to memory of 2700 2204 b4fcb9fe40178e8127f061a9a27065e5_JaffaCakes118.exe winver.exe PID 2204 wrote to memory of 2700 2204 b4fcb9fe40178e8127f061a9a27065e5_JaffaCakes118.exe winver.exe PID 2204 wrote to memory of 2700 2204 b4fcb9fe40178e8127f061a9a27065e5_JaffaCakes118.exe winver.exe PID 2700 wrote to memory of 1200 2700 winver.exe Explorer.EXE PID 2700 wrote to memory of 1084 2700 winver.exe taskhost.exe PID 2700 wrote to memory of 1136 2700 winver.exe Dwm.exe PID 2700 wrote to memory of 1200 2700 winver.exe Explorer.EXE
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1084
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1136
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\b4fcb9fe40178e8127f061a9a27065e5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4fcb9fe40178e8127f061a9a27065e5_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2700