Analysis
-
max time kernel
160s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 17:37
Static task
static1
Behavioral task
behavioral1
Sample
be84124151ed648b1b236e244142a92f_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
be84124151ed648b1b236e244142a92f_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
be84124151ed648b1b236e244142a92f_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
be84124151ed648b1b236e244142a92f
-
SHA1
baa95fb4f850ed518cd3f8b2286b755734d84360
-
SHA256
d79fac50d787b497de862322274d0541eb3095ec92fb66ae683ccd5360246869
-
SHA512
12f9eab03c4b0804938f6a8a1e8ad9b795e8dd4cd4007e2bd7958e0576e54673b7b3b21861de18e6f539c61226b89ffb2537929f24c4eba553150952f5be8765
-
SSDEEP
24576:6ArW/8hh0FQAq7c8nA7YMv3+DpBNPRI9ovlG4XozaEhptdPYfCG6bYVxXNVD8pVt:6e0mfW3YNPRRlG4saIprQNk
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk be84124151ed648b1b236e244142a92f_JaffaCakes118.exe -
Loads dropped DLL 2 IoCs
pid Process 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" be84124151ed648b1b236e244142a92f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2984 wrote to memory of 2696 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 27 PID 2984 wrote to memory of 2696 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 27 PID 2984 wrote to memory of 2696 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 27 PID 2984 wrote to memory of 2696 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 27 PID 2984 wrote to memory of 2700 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 28 PID 2984 wrote to memory of 2700 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 28 PID 2984 wrote to memory of 2700 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 28 PID 2984 wrote to memory of 2700 2984 be84124151ed648b1b236e244142a92f_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵PID:2696
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD52004bcee923b0e0222f4cab87c2c2a3d
SHA10a3c122b7cfe403403d913ecc1b328480b1bfc2a
SHA256f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77
SHA512cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445
-
Filesize
735B
MD515287e4b78ab920ea0081591f8106615
SHA1a1628bd63201e179f636af77f3d58c9a1a4a97e2
SHA256c4ea5abf1d82828f77819dfa7dc9b728206518cecc387f279b10bef2f4e10c3f
SHA5126211fdb6eeb7dbd342e44f40ebfd73b415574ae76354d498887b44473c55b07656feb5709cee320a8a5f22f62931f4518136000e12065e0958d6eb46dae4f1a7
-
Filesize
1.1MB
MD5f42eb169ae6fc4797d2bd10b409a4686
SHA17d4282523a4d1ec1ea02c0dc13124cb60bff2d9a
SHA2565ec91e54b1beb2161a81c58e89ff56a90ff497b3efefa4d99cf930637bbd569a
SHA5121ebfb4dd11371dc9e3affb731fe6ea51affa096c1a12c163555e5b18c32cf6ca545258c1a66d8421e6e44a066f541ec04fc6da85c3d9918945eb5a71e8b3fb95