Analysis
-
max time kernel
133s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
05-04-2024 00:18
Static task
static1
Behavioral task
behavioral1
Sample
c5b18ba3b57159f73d904ac5ce4b89ac_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
c5b18ba3b57159f73d904ac5ce4b89ac_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
c5b18ba3b57159f73d904ac5ce4b89ac_JaffaCakes118.exe
-
Size
16KB
-
MD5
c5b18ba3b57159f73d904ac5ce4b89ac
-
SHA1
a53a81b86238464bb6a11b7df7b1bf155bbeede0
-
SHA256
8e179e59927da61852ba15f40032bd5b55494c5af5d53ba857d26b286712cf02
-
SHA512
e40cc32946e555b3bc687fd676918979c46cf59c83e484548e8e47fa39cd3336cc18dfd8b1011083cecea35a14ee6b9592fd70d7b955e67d9a8aa8752526204c
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhayPL:hDXWipuE+K3/SSHgxZD
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2900 DEM38AD.exe 2360 DEM8F83.exe 2212 DEME5BD.exe 2340 DEM3C84.exe 1312 DEM9389.exe 1444 DEME946.exe -
Loads dropped DLL 6 IoCs
pid Process 2116 c5b18ba3b57159f73d904ac5ce4b89ac_JaffaCakes118.exe 2900 DEM38AD.exe 2360 DEM8F83.exe 2212 DEME5BD.exe 2340 DEM3C84.exe 1312 DEM9389.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2900 2116 c5b18ba3b57159f73d904ac5ce4b89ac_JaffaCakes118.exe 29 PID 2116 wrote to memory of 2900 2116 c5b18ba3b57159f73d904ac5ce4b89ac_JaffaCakes118.exe 29 PID 2116 wrote to memory of 2900 2116 c5b18ba3b57159f73d904ac5ce4b89ac_JaffaCakes118.exe 29 PID 2116 wrote to memory of 2900 2116 c5b18ba3b57159f73d904ac5ce4b89ac_JaffaCakes118.exe 29 PID 2900 wrote to memory of 2360 2900 DEM38AD.exe 33 PID 2900 wrote to memory of 2360 2900 DEM38AD.exe 33 PID 2900 wrote to memory of 2360 2900 DEM38AD.exe 33 PID 2900 wrote to memory of 2360 2900 DEM38AD.exe 33 PID 2360 wrote to memory of 2212 2360 DEM8F83.exe 35 PID 2360 wrote to memory of 2212 2360 DEM8F83.exe 35 PID 2360 wrote to memory of 2212 2360 DEM8F83.exe 35 PID 2360 wrote to memory of 2212 2360 DEM8F83.exe 35 PID 2212 wrote to memory of 2340 2212 DEME5BD.exe 37 PID 2212 wrote to memory of 2340 2212 DEME5BD.exe 37 PID 2212 wrote to memory of 2340 2212 DEME5BD.exe 37 PID 2212 wrote to memory of 2340 2212 DEME5BD.exe 37 PID 2340 wrote to memory of 1312 2340 DEM3C84.exe 39 PID 2340 wrote to memory of 1312 2340 DEM3C84.exe 39 PID 2340 wrote to memory of 1312 2340 DEM3C84.exe 39 PID 2340 wrote to memory of 1312 2340 DEM3C84.exe 39 PID 1312 wrote to memory of 1444 1312 DEM9389.exe 41 PID 1312 wrote to memory of 1444 1312 DEM9389.exe 41 PID 1312 wrote to memory of 1444 1312 DEM9389.exe 41 PID 1312 wrote to memory of 1444 1312 DEM9389.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5b18ba3b57159f73d904ac5ce4b89ac_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c5b18ba3b57159f73d904ac5ce4b89ac_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\DEM38AD.exe"C:\Users\Admin\AppData\Local\Temp\DEM38AD.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\DEM8F83.exe"C:\Users\Admin\AppData\Local\Temp\DEM8F83.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\DEME5BD.exe"C:\Users\Admin\AppData\Local\Temp\DEME5BD.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\DEM3C84.exe"C:\Users\Admin\AppData\Local\Temp\DEM3C84.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\DEM9389.exe"C:\Users\Admin\AppData\Local\Temp\DEM9389.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\DEME946.exe"C:\Users\Admin\AppData\Local\Temp\DEME946.exe"7⤵
- Executes dropped EXE
PID:1444
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD53a8e159afa9e1626da4cbf34afbf55a9
SHA14f3c80a00f200c1b9ad129b67a08d4cac7907757
SHA25669c220c495035f429951e2902a092d2d04ce56c835e269ca64cffcc44a8fef93
SHA512ab2917e5bcf8bcf23bceda2fab717cd34b74dbfc4a8a75d8af9b5dfe2ffaf6d4ccb5756d261342969b73154642f159f966d03cd0a3a6ca8a313f461c13e1dc07
-
Filesize
16KB
MD5b0c3a19f4792f5ef4a2dce8db2147fe3
SHA10ace63be2ade30183dba584d8bbebd4836802791
SHA256e58ae76514a5ebc45e6cb0de01b82dd3f270907dd5d9e304cc0cc94ee5b402bd
SHA512e1c1a05bb11a0880db2774ba3ae854cda3e7bf4a2d1e7084b2e985952143027ffb0c17b1f5fb50221f1813b57f6e6bd53cbca5831265fee48c994e650e41772c
-
Filesize
16KB
MD529c9b8863d4baa75b29e6898dbe871f4
SHA1a2d317c59e8e43323e39c782dd0cd1b83b2fd4fb
SHA256821821a4b65e96a25441f5665315814311147007ddceabeb1bd87be50340f99c
SHA5124baf05d5e5c976525cce55e30aaf00016acbda0d2b9d517f3016f54661c3cc5147797c44ce0772c75ddac8f6263b73af980dbf99a856e93cea3069ad3b9036c2
-
Filesize
16KB
MD51612a2e90be8660924b7c02fc41ccad6
SHA1430a474135130c529f72cbbdc43db46199985324
SHA25648128d7c4e2d10ab1de0d9e7636e842531a878064d03fe05c5744aeb1d377fa0
SHA512b11b9961d21d37641f1a7cfb8adcad95d55953c8b2199b4045eddb46e9747e5153d274a3b60f94fc453a7d8554a18cebab9960dc5bc8af8d835ec127945d201d
-
Filesize
16KB
MD57ca99b7acbd50bd395c91b25604b8f3a
SHA19833a464e98f720328ed0aa56be329089346a74b
SHA256b6f7924b24572c0dd2e4b09a0cdcda7aaff33ecf380fcd35e7570c51ef216c9f
SHA512b5a06024d49b2b99351a4cf97dca9640c04002ec05bea680849b18a44a73afe252a8d48ed366801a9a9761f9735e967c18904290d068311c93e115b17165dab4
-
Filesize
16KB
MD59133aad61ef5c1bc6e292774fdfe4f8a
SHA17251bf79b5eba45ba4e08619defcd315cf4838af
SHA256524b20e11a496f0254a53261f3968afb3371a423453e7bff725bac4589a05114
SHA5122179342a8b392aca3ad4445d2f3251ef01a77f86e5eaad3f0e3d89d72cce1b7eab0e94b5e6fcf88bf91122ccc3950ab3ad99d388904c0b5f8815d8aa2e337c40