Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:29
Static task
static1
Behavioral task
behavioral1
Sample
b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe
-
Size
243KB
-
MD5
b98db2db541ce0a423aad8318c837f6a
-
SHA1
3021759eacdde130af0bc84a99501adff05008e1
-
SHA256
d075d15e65636715be3589aca73e83098ea3aa6c83d0b1136aeaa6d21da47e62
-
SHA512
414be408f6a49c30882a1829d7b9766b5f07c911ece47421df82153cc81de0b870f8db0206c75708e2c00aa8c74e4069dc16b8b8558edc13c9e6408078e1399f
-
SSDEEP
3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/e83kgnYHfQlAO:o68i3odBiTl2+TCU/Fk8KfQlE
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\SHARE_TEMP\Icon5.ico b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe File created C:\Windows\SHARE_TEMP\Icon6.ico b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe File created C:\Windows\SHARE_TEMP\Icon10.ico b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe File created C:\Windows\winhash_up.exez b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe File created C:\Windows\SHARE_TEMP\Icon14.ico b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe File opened for modification C:\Windows\winhash_up.exez b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe File created C:\Windows\winhash_up.exe b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe File created C:\Windows\SHARE_TEMP\Icon3.ico b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe File created C:\Windows\SHARE_TEMP\Icon7.ico b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe File created C:\Windows\SHARE_TEMP\Icon12.ico b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe File created C:\Windows\SHARE_TEMP\Icon13.ico b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe File created C:\Windows\SHARE_TEMP\Icon2.ico b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe File created C:\Windows\bugMAKER.bat b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2592 1984 b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe 28 PID 1984 wrote to memory of 2592 1984 b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe 28 PID 1984 wrote to memory of 2592 1984 b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe 28 PID 1984 wrote to memory of 2592 1984 b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b98db2db541ce0a423aad8318c837f6a_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\bugMAKER.bat2⤵PID:2592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90B
MD59d7f8c1df2cc9643f04a9dc4e70428bc
SHA1c5f84bb4c153222391fc7d9418646982705f980a
SHA2567b73123a64108ff5a4a37b7745d1beaf384050b22cba2714eb93f8587a962b68
SHA512eed170be30ad6d3381909b0c28b51e8c9718bba81428052f58b88d61caa2f81a264dc4875e931aaa221e54d6deb6660b8b4d142ed42411cdea881a1547f941e6