Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-04-2024 00:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe
Resource
win7-20240221-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe
Resource
win10v2004-20240226-en
8 signatures
150 seconds
General
-
Target
c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe
-
Size
88KB
-
MD5
c627515de0166a6526f4ad9f5a7be0da
-
SHA1
1960b94da73b75bc5e8ad2860f454af17a846983
-
SHA256
1302f1aff384aa2a421895552a96cb4eaa93b67c4746190cb93b2d0910ebacc6
-
SHA512
4d5e7e0325ea905f6d48b4d56a202b9b752a705bb8fe57ed20902e6a39b36cb058b07b583a5c7362ac274049c4d7df4c722ea197fca4eae329699d0ae5c75e9e
-
SSDEEP
1536:W5nfmIpxDWbUfd3aOPmxxEhvgCooXqRQqjh+rmKVsN:W5fvp12UFKcD/6jwqWsN
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\63F67D64 = "C:\\Users\\Admin\\AppData\\Roaming\\63F67D64\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe 1740 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 1740 winver.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exewinver.exedescription pid process target process PID 1716 wrote to memory of 1740 1716 c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe winver.exe PID 1716 wrote to memory of 1740 1716 c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe winver.exe PID 1716 wrote to memory of 1740 1716 c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe winver.exe PID 1716 wrote to memory of 1740 1716 c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe winver.exe PID 1716 wrote to memory of 1740 1716 c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe winver.exe PID 1740 wrote to memory of 1204 1740 winver.exe Explorer.EXE PID 1740 wrote to memory of 1112 1740 winver.exe taskhost.exe PID 1740 wrote to memory of 1172 1740 winver.exe Dwm.exe PID 1740 wrote to memory of 1204 1740 winver.exe Explorer.EXE
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c627515de0166a6526f4ad9f5a7be0da_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1740