Analysis
-
max time kernel
132s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-04-2024 03:54
Static task
static1
Behavioral task
behavioral1
Sample
ca222526f39b019c0bb0115b73ded893_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ca222526f39b019c0bb0115b73ded893_JaffaCakes118.exe
Resource
win10v2004-20231215-en
General
-
Target
ca222526f39b019c0bb0115b73ded893_JaffaCakes118.exe
-
Size
16KB
-
MD5
ca222526f39b019c0bb0115b73ded893
-
SHA1
6afcce76d3c5d47f2c84969bda6e6ce3fbc268cd
-
SHA256
0c483e99471dceb8ea772b1fd5cd61ab4948d028422c416b2ae71e9744fd07e7
-
SHA512
0878f595376e49b830fe6702715efb379e8ed8b64e4474d25e89a04332e36e406f7cb1ba3d4d96ef93a6ca30fd0264cde9e8d9231fd5da6e675bced606311380
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhD8Z0:hDXWipuE+K3/SSHgxt60
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 1804 DEM1A06.exe 2700 DEM6FD3.exe 2992 DEMC5CF.exe 1732 DEM1BAB.exe 2744 DEM7197.exe 1784 DEMC726.exe -
Loads dropped DLL 6 IoCs
pid Process 1032 ca222526f39b019c0bb0115b73ded893_JaffaCakes118.exe 1804 DEM1A06.exe 2700 DEM6FD3.exe 2992 DEMC5CF.exe 1732 DEM1BAB.exe 2744 DEM7197.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1032 wrote to memory of 1804 1032 ca222526f39b019c0bb0115b73ded893_JaffaCakes118.exe 29 PID 1032 wrote to memory of 1804 1032 ca222526f39b019c0bb0115b73ded893_JaffaCakes118.exe 29 PID 1032 wrote to memory of 1804 1032 ca222526f39b019c0bb0115b73ded893_JaffaCakes118.exe 29 PID 1032 wrote to memory of 1804 1032 ca222526f39b019c0bb0115b73ded893_JaffaCakes118.exe 29 PID 1804 wrote to memory of 2700 1804 DEM1A06.exe 31 PID 1804 wrote to memory of 2700 1804 DEM1A06.exe 31 PID 1804 wrote to memory of 2700 1804 DEM1A06.exe 31 PID 1804 wrote to memory of 2700 1804 DEM1A06.exe 31 PID 2700 wrote to memory of 2992 2700 DEM6FD3.exe 35 PID 2700 wrote to memory of 2992 2700 DEM6FD3.exe 35 PID 2700 wrote to memory of 2992 2700 DEM6FD3.exe 35 PID 2700 wrote to memory of 2992 2700 DEM6FD3.exe 35 PID 2992 wrote to memory of 1732 2992 DEMC5CF.exe 37 PID 2992 wrote to memory of 1732 2992 DEMC5CF.exe 37 PID 2992 wrote to memory of 1732 2992 DEMC5CF.exe 37 PID 2992 wrote to memory of 1732 2992 DEMC5CF.exe 37 PID 1732 wrote to memory of 2744 1732 DEM1BAB.exe 39 PID 1732 wrote to memory of 2744 1732 DEM1BAB.exe 39 PID 1732 wrote to memory of 2744 1732 DEM1BAB.exe 39 PID 1732 wrote to memory of 2744 1732 DEM1BAB.exe 39 PID 2744 wrote to memory of 1784 2744 DEM7197.exe 41 PID 2744 wrote to memory of 1784 2744 DEM7197.exe 41 PID 2744 wrote to memory of 1784 2744 DEM7197.exe 41 PID 2744 wrote to memory of 1784 2744 DEM7197.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca222526f39b019c0bb0115b73ded893_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ca222526f39b019c0bb0115b73ded893_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\DEM1A06.exe"C:\Users\Admin\AppData\Local\Temp\DEM1A06.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\DEM6FD3.exe"C:\Users\Admin\AppData\Local\Temp\DEM6FD3.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\DEMC5CF.exe"C:\Users\Admin\AppData\Local\Temp\DEMC5CF.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\DEM1BAB.exe"C:\Users\Admin\AppData\Local\Temp\DEM1BAB.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\DEM7197.exe"C:\Users\Admin\AppData\Local\Temp\DEM7197.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\DEMC726.exe"C:\Users\Admin\AppData\Local\Temp\DEMC726.exe"7⤵
- Executes dropped EXE
PID:1784
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5f2ffb2b3cc658c476fe6802e20a63e44
SHA192344a9e0ec48a965244f2647c73c98649ad7874
SHA256228edb4e2e9fa7702468724cd36c7d881c1dcef580445e7cded4a12eeb149278
SHA512d443e1ce60b83724d0ba72eda225bc82ae0e3e9831d937e61b11966b662ce86db97b56721917a7da7ce55edaa296434b1b1dc430c601a124030741f6083537c5
-
Filesize
16KB
MD5acfa42ce5d67668c1e5acbc9ab7d67ef
SHA1712fcd3a11f957e6bda9f93be2d6362fc78e5549
SHA2560bbcfa1207f54ccf6644efd6471ebc77f90223ac264be74136aba08264b025fd
SHA51272a11b561ad5fd28e0eee26b8543a227452d2254b02afe6666d0b90594ff7f2d3108b13fef569b84d15a285c7b19cb01fdd701ca1b413f1e7e0c0456b4a7269f
-
Filesize
16KB
MD5271bd05c3dd6d1f5c1664b3d50eb18be
SHA18c8a83f13a4c62b7ee6122b267173f167999ea4c
SHA25696275bd7838268bccadc6a2bb9035849cd758dedbc0197a7406884973d90464b
SHA512bee1bf01af465a1591cf3fd0b97ac139645dd8483111096489a120debc439fa61b83ebcace6c7e97b6a524c31dd12cf7678b53a3ed874a5e92581ae65f6b82ea
-
Filesize
16KB
MD53e9e554828e24558a85d259729b7f907
SHA115209f6ada3bdd061129df7c6fa6704072097330
SHA2569fce3f24ce25c4eec2389d9937d04b318f569fb52e9df59509bb88b2dc3d8f2f
SHA512d83db865c41ad6f9dc0279ef109002e02d001aa9c1f62b58862cf1e0f7feb007b69fdfb11253e4daed932f745c0f5a7fe8e2a137beb48a5c56133dc586a10161
-
Filesize
16KB
MD5f984b0516245bc567215ac4b26f283ed
SHA1a021dc49fde5d1f5c04b6beb4fe13f045a1a88b4
SHA2565626839ae91e16d1c5304ff5b2f5705f9acc1d3b83f874b0113b8210206ada64
SHA51266504e37e763a07055456b54daaf94a1fa810235503d5aad2e997fa34bb0524c7bc0c337e4136fcec8b869fb6aefb86a487cf4fa6318ce841541312c2dfbb123
-
Filesize
16KB
MD5d28abbda13984773ca07650ae86ccb2d
SHA199fe434f238260e34a85131f121471dc5ecafced
SHA256fdba457d5cb27ea44daaa82ffba5b43d0b2651f2050090b6f5cf602ae01cb1c7
SHA5124cee2c49adb0eadfbdff0e5248baa090fb75e3b47f937ed1d742d8742457eea19734ec8ab5474eb35ec7ae2a11c534105d3b9da462d08ab517d58126cec4f4d0