Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 05:21
Static task
static1
Behavioral task
behavioral1
Sample
dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe
-
Size
76KB
-
MD5
dc3b465454af3811a5b1a6323e03c96f
-
SHA1
37b52ed6f54638dccf3b25cf111d248107aff408
-
SHA256
68d0913a23e38aee84a3b9176595b8fc6f85bfd7497a95a1d23b9ba9c70cad94
-
SHA512
e3e7383f0e5f509f354d7e4d5ae1d89c7337b72dcb4fc5e5058b454c576757f30daf80f383cfcf0c44136bf21782c78702dc868bbfac222a0256453dd8ac5a2a
-
SSDEEP
1536:p4q8Q1xZtffrb8sjPFNhTYsFFrzckH2fmitl8PW6/4:qKtfDwsjPThTYszDH2fDyB/4
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3516 Logo1_.exe 4488 dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Logo1_.exe dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe File created C:\Windows\virDll.dll Logo1_.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3616 3516 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3516 Logo1_.exe 3516 Logo1_.exe 3516 Logo1_.exe 3516 Logo1_.exe 3516 Logo1_.exe 3516 Logo1_.exe 3516 Logo1_.exe 3516 Logo1_.exe 3516 Logo1_.exe 3516 Logo1_.exe 3516 Logo1_.exe 3516 Logo1_.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2240 wrote to memory of 3908 2240 dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe 85 PID 2240 wrote to memory of 3908 2240 dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe 85 PID 2240 wrote to memory of 3908 2240 dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe 85 PID 2240 wrote to memory of 3516 2240 dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe 86 PID 2240 wrote to memory of 3516 2240 dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe 86 PID 2240 wrote to memory of 3516 2240 dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe 86 PID 3908 wrote to memory of 4488 3908 cmd.exe 91 PID 3908 wrote to memory of 4488 3908 cmd.exe 91 PID 3908 wrote to memory of 4488 3908 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3940.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe"3⤵
- Executes dropped EXE
PID:4488
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 6243⤵
- Program crash
PID:3616
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3516 -ip 35161⤵PID:2088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
614B
MD58c8616d931b38e80a5860599ee49699b
SHA1018cc89a5c43aaa97d2cfe2ad7dd13359f3c883f
SHA256b8a7a852a69eff939ce104cc0b5e37a539a4475bc5f72fb5e59dd99ef12e83a5
SHA512345c63d5d288d13f158f4dd43d79c6ef2d7db7953f84d0d8ca9618e8e4f04ef42a0125cba3dee2d1eb9f95588fa8b1e243179441e96afd70e55c065b08a8e758
-
Filesize
18KB
MD577727b915db20a529be45b065bcd1e06
SHA1ed010c2b80fd73413ae996d379004c4d996325b9
SHA256d41f7aad49c106e1a8bc19ecc5eb938679ddcc7f7df082714d8f95eb0f2a2387
SHA512845f1506474f3b604d3f6eaf955da5840741e64f281e16033b599029c375360770b32c6071582450a329724ad731388a797e5cd81d742dfd3004f5ee9918a80f
-
Filesize
58KB
MD595171e6dfb058af81fa91c507acef887
SHA1251de8a3bad783a43e48e44c6d45b28253ff9bfb
SHA2560986d881f40f22dd7897b8f7a8a8a836d6867952a665460e6c240bda4c69cb8e
SHA512e8fa72fd4f54527da630847f3944321180fa1759e1f432c08dc047486768373f7ebb8b526afdd9307809d706b1c2b1dc635ebe74ab8afc769159de2b7d63c19c