Analysis
-
max time kernel
132s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/04/2024, 15:46
Static task
static1
Behavioral task
behavioral1
Sample
d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe
Resource
win10v2004-20231215-en
General
-
Target
d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe
-
Size
15KB
-
MD5
d7edc031b01cd05e9e9e2ec5bb2a653d
-
SHA1
c3bc79316add683361103d4662ea6c3c903e6d2f
-
SHA256
21b659bbc59593ae8e08f0192a657bb2028d5efff1453080c878c894461656d2
-
SHA512
a4324105c1e48ca9a6d9cb903235555d5bb41475b93a3ec2d54c9cbb3195a752ede30d81c930dcd84f946140b0753176d60784c396d2c115ca879869db3dbdd6
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhY/wrW:hDXWipuE+K3/SSHgxm/F
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2604 DEM4106.exe 2436 DEM9695.exe 2676 DEMEBF4.exe 2292 DEM4154.exe 596 DEM975F.exe 2276 DEMED6B.exe -
Loads dropped DLL 6 IoCs
pid Process 3048 d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe 2604 DEM4106.exe 2436 DEM9695.exe 2676 DEMEBF4.exe 2292 DEM4154.exe 596 DEM975F.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2604 3048 d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe 29 PID 3048 wrote to memory of 2604 3048 d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe 29 PID 3048 wrote to memory of 2604 3048 d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe 29 PID 3048 wrote to memory of 2604 3048 d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe 29 PID 2604 wrote to memory of 2436 2604 DEM4106.exe 33 PID 2604 wrote to memory of 2436 2604 DEM4106.exe 33 PID 2604 wrote to memory of 2436 2604 DEM4106.exe 33 PID 2604 wrote to memory of 2436 2604 DEM4106.exe 33 PID 2436 wrote to memory of 2676 2436 DEM9695.exe 35 PID 2436 wrote to memory of 2676 2436 DEM9695.exe 35 PID 2436 wrote to memory of 2676 2436 DEM9695.exe 35 PID 2436 wrote to memory of 2676 2436 DEM9695.exe 35 PID 2676 wrote to memory of 2292 2676 DEMEBF4.exe 37 PID 2676 wrote to memory of 2292 2676 DEMEBF4.exe 37 PID 2676 wrote to memory of 2292 2676 DEMEBF4.exe 37 PID 2676 wrote to memory of 2292 2676 DEMEBF4.exe 37 PID 2292 wrote to memory of 596 2292 DEM4154.exe 39 PID 2292 wrote to memory of 596 2292 DEM4154.exe 39 PID 2292 wrote to memory of 596 2292 DEM4154.exe 39 PID 2292 wrote to memory of 596 2292 DEM4154.exe 39 PID 596 wrote to memory of 2276 596 DEM975F.exe 41 PID 596 wrote to memory of 2276 596 DEM975F.exe 41 PID 596 wrote to memory of 2276 596 DEM975F.exe 41 PID 596 wrote to memory of 2276 596 DEM975F.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d7edc031b01cd05e9e9e2ec5bb2a653d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\DEM4106.exe"C:\Users\Admin\AppData\Local\Temp\DEM4106.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\DEM9695.exe"C:\Users\Admin\AppData\Local\Temp\DEM9695.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\DEMEBF4.exe"C:\Users\Admin\AppData\Local\Temp\DEMEBF4.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\DEM4154.exe"C:\Users\Admin\AppData\Local\Temp\DEM4154.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\DEM975F.exe"C:\Users\Admin\AppData\Local\Temp\DEM975F.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Users\Admin\AppData\Local\Temp\DEMED6B.exe"C:\Users\Admin\AppData\Local\Temp\DEMED6B.exe"7⤵
- Executes dropped EXE
PID:2276
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5ce2a2c617d3f2e54239df32d201038c2
SHA1e8f73781d8458a7c3d389fbc37f3c6ec7dec41e5
SHA256700b980c7261173cbf0a61064e1da9d40965ded24c62f23c0a95e96df2223445
SHA512e3121e70202582e3595ec937b54360c12265f32b7145601e4b45f5f701183d729e738e85f108b6117a7735c34f08c2b1759917af684dad0ca6b127ff0640b32d
-
Filesize
15KB
MD5d1790da45a5f63540c09646e7818fa83
SHA1817fd4338bdc17dad7f1ac5fd8f94f9db089c1ae
SHA256c9bd3fef07adfd5ca6f8ebdd9deebf12cacce5eac538014ded9e04e60e3f497c
SHA51268b5fea4f33cf8c115d949184c01679cf0ab6800206a68de369580b08f426b41b48fffade8796946820d088b939475f2468812d3a3f341445338f75ead5d7be1
-
Filesize
15KB
MD54226ebcc5c151caacf8af150a85f3642
SHA15b8f60ab8dede90be9d2f4beb897ac6844bef495
SHA2564c23c97352ed8588a0d8355d982bfb969324c7d0cd11f4f80fd950ca6e2d2441
SHA512f49d89ccc5fc0a7ad02cb4d6d9fb749db02a0914224a1fe4e727a55949b1ed7279b92b1b3d1e317b39441c07dc703b028ee8853adbbf0e049a7648954deb1b47
-
Filesize
15KB
MD52dff6de5fab792dca543f0889cfc27ff
SHA11dd2e4ae27122c4674b482e7e130009a071c0e90
SHA256bbe101c22f1006686f7ef03f9f00f04b22072f594275f5b8a99694f545baf76d
SHA512799e59ebe67c8e93cec7e9360f96adf60d083f38c0acbf0966993fccd52b4f14713b7f7e91102e01a24179dd45999ba53891a97d79f35bfd98b4073bb99928be
-
Filesize
15KB
MD5f985ab42b6dc27743b698bd8ba9ab816
SHA1c456f85ce3586eb28b08a6a27745ccc9ef0fdb4d
SHA256a2695c0301a6a9ef355e07b7fd0457d22f1705b9c0801433d9f31f625b95b305
SHA51203aebca733b10571e45e3bb11e8a3a74f97228c3a5a6633d5bac03cf814d13cb9325ec6f12072ffa356943124b9aa151544b67de6e9bfebc723b69779afb0fbc
-
Filesize
15KB
MD58de0c9370c7246bcd67e44ee259ea126
SHA1c7529c41b4dc435b3e584fe9f4daad56d0b9af53
SHA256298be030e6eda42c8213d2584b6f628936910027d8570e41a82907ef4334bdec
SHA5124810e283ff0d60de304786e5d1753445cabd9fbaa1eff6185bd1e2afc0973e28ab690564f4a5551c13f88f386dca3bace08c78ff0958750a7c480e9d97c46956