Analysis
-
max time kernel
150s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-04-2024 02:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe
Resource
win7-20240221-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe
Resource
win10v2004-20240226-en
8 signatures
150 seconds
General
-
Target
c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe
-
Size
49KB
-
MD5
c7f2d7e57ce04fbfe7444f2368dbd0d7
-
SHA1
b4a8f66afac14a098efd4196ef8beadc0c5d0c59
-
SHA256
d083d5c306cf73a20f5b759aeb8d44cbf72a65077b50a5efe4c8781cc997c9ce
-
SHA512
6bc45699e2a43db4ee5a0b74f9c51f6aefbe5352a52f658da9a8cc088e1930b28641ef151228d3922b3a370beeb2b0fa992950938abede91182f943dc9e241d6
-
SSDEEP
768:GCCCFlkbwAYbFshpyiB9L9Mx2BWseUCHGAwk5R9Jw:mbw/6plBTFBYNNR9Jw
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\4CEB2DC2 = "C:\\Users\\Admin\\AppData\\Roaming\\4CEB2DC2\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe 2736 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2736 winver.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exewinver.exedescription pid process target process PID 1740 wrote to memory of 2736 1740 c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe winver.exe PID 1740 wrote to memory of 2736 1740 c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe winver.exe PID 1740 wrote to memory of 2736 1740 c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe winver.exe PID 1740 wrote to memory of 2736 1740 c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe winver.exe PID 1740 wrote to memory of 2736 1740 c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe winver.exe PID 2736 wrote to memory of 1268 2736 winver.exe Explorer.EXE PID 2736 wrote to memory of 1172 2736 winver.exe taskhost.exe PID 2736 wrote to memory of 1224 2736 winver.exe Dwm.exe PID 2736 wrote to memory of 1268 2736 winver.exe Explorer.EXE
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1172
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1224
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c7f2d7e57ce04fbfe7444f2368dbd0d7_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2736