Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:21
Static task
static1
Behavioral task
behavioral1
Sample
b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe
-
Size
272KB
-
MD5
b96781c5601f3e5c44e955e9f1d261c8
-
SHA1
387ec8f67707b40f7504c0098b58a978c7889932
-
SHA256
64a753aeb9f4b178c8b1a8d8385d7eab119d21d7fee0f167ba1b044d0f96caa3
-
SHA512
d128e30b4e4020bdf71bf1fe1db77cf8f99c2415a26280d5516fe70f7e379ab24d464ab10908a1b2df23cd32717c8d2f37eb5f7fbf4fc3ce02fc97421cf87459
-
SSDEEP
6144:q+FNvDu5NMsd+mF9gNMrhsgRx2aHNs8DtD1SpUxw:lFxDAdMmF94KZJ+Z
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1084 63dcf9addd66ec6a.exe -
Executes dropped EXE 2 IoCs
pid Process 1084 63dcf9addd66ec6a.exe 2308 63dcf9addd66ec6a.exe -
Loads dropped DLL 3 IoCs
pid Process 2200 b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe 2200 b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe 1084 63dcf9addd66ec6a.exe -
resource yara_rule behavioral1/memory/2200-1-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1084-11-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2200-10-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2308-15-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1084-73-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2308-74-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1084-75-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1084-76-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2308-77-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2308-78-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1084-79-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2308-80-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1084-81-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2308-82-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1084-83-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2308-84-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1084-85-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2308-86-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1084-87-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2308-88-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2308-90-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1084-89-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1084-91-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2308-92-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1084-153-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2308-154-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1084-155-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2308-156-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1084-157-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2308-158-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1084-159-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2308-160-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1084-161-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2308-162-0x0000000000400000-0x0000000000541000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Health Monitoring Service Pro = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\63dcf9addd66ec6a.exe\"" 63dcf9addd66ec6a.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*System Health Monitoring Service Pro = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\63dcf9addd66ec6a.exe\"" 63dcf9addd66ec6a.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Health Monitoring Service Pro = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\63dcf9addd66ec6a.exe\"" 63dcf9addd66ec6a.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*System Health Monitoring Service Pro = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\63dcf9addd66ec6a.exe\"" 63dcf9addd66ec6a.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2200 wrote to memory of 1084 2200 b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe 28 PID 2200 wrote to memory of 1084 2200 b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe 28 PID 2200 wrote to memory of 1084 2200 b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe 28 PID 2200 wrote to memory of 1084 2200 b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe 28 PID 1084 wrote to memory of 2308 1084 63dcf9addd66ec6a.exe 29 PID 1084 wrote to memory of 2308 1084 63dcf9addd66ec6a.exe 29 PID 1084 wrote to memory of 2308 1084 63dcf9addd66ec6a.exe 29 PID 1084 wrote to memory of 2308 1084 63dcf9addd66ec6a.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\63dcf9addd66ec6a.exe:*C:\Users\Admin\AppData\Local\Temp\b96781c5601f3e5c44e955e9f1d261c8_JaffaCakes118.exe *2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\63dcf9addd66ec6a.exea ZZZZZZYZRVG3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2308
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
272KB
MD5e6ec64b6cd5bfbe9efc874cd853d2df9
SHA10231e014e3abb379def3ec6a123b12158ce26157
SHA256bcf8dfba617599264bbaad0fea97a96862931da5ca5c95bbaa24bf849f542313
SHA51205c868fd6819882a4b69fc3b2531d6636348e43bbf8a611258bafe37e4e4c39d93c42e14d624fb0f58f34bf9da5def852d13825dafc1e2074c2ec63cbacce77f