Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 05:04
Static task
static1
Behavioral task
behavioral1
Sample
dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe
-
Size
14KB
-
MD5
dbf4a2b38996ff3b5aded7751ccfc887
-
SHA1
3f5a55079cccde72029dcb5fdd6650afe08dd1e8
-
SHA256
5a542e621f1fa3e219cb70bacaf3e376dc592344b97bda3fe1e82a3a9c59e52e
-
SHA512
40b3cd581b94eaf0c464f1134f18a323632333f8781e3a1d22382438e172bae2cf2a698a2853fbeadb3ce0ca26409e5342b32411f95c3190c1949fef7ac401ed
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhDv:hDXWipuE+K3/SSHgx9
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2576 DEM6078.exe 1724 DEMB664.exe 2724 DEMBC4.exe 1556 DEM620D.exe 592 DEMB76D.exe 2044 DEMD3A.exe -
Loads dropped DLL 6 IoCs
pid Process 2856 dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe 2576 DEM6078.exe 1724 DEMB664.exe 2724 DEMBC4.exe 1556 DEM620D.exe 592 DEMB76D.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2576 2856 dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe 29 PID 2856 wrote to memory of 2576 2856 dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe 29 PID 2856 wrote to memory of 2576 2856 dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe 29 PID 2856 wrote to memory of 2576 2856 dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe 29 PID 2576 wrote to memory of 1724 2576 DEM6078.exe 33 PID 2576 wrote to memory of 1724 2576 DEM6078.exe 33 PID 2576 wrote to memory of 1724 2576 DEM6078.exe 33 PID 2576 wrote to memory of 1724 2576 DEM6078.exe 33 PID 1724 wrote to memory of 2724 1724 DEMB664.exe 35 PID 1724 wrote to memory of 2724 1724 DEMB664.exe 35 PID 1724 wrote to memory of 2724 1724 DEMB664.exe 35 PID 1724 wrote to memory of 2724 1724 DEMB664.exe 35 PID 2724 wrote to memory of 1556 2724 DEMBC4.exe 37 PID 2724 wrote to memory of 1556 2724 DEMBC4.exe 37 PID 2724 wrote to memory of 1556 2724 DEMBC4.exe 37 PID 2724 wrote to memory of 1556 2724 DEMBC4.exe 37 PID 1556 wrote to memory of 592 1556 DEM620D.exe 39 PID 1556 wrote to memory of 592 1556 DEM620D.exe 39 PID 1556 wrote to memory of 592 1556 DEM620D.exe 39 PID 1556 wrote to memory of 592 1556 DEM620D.exe 39 PID 592 wrote to memory of 2044 592 DEMB76D.exe 41 PID 592 wrote to memory of 2044 592 DEMB76D.exe 41 PID 592 wrote to memory of 2044 592 DEMB76D.exe 41 PID 592 wrote to memory of 2044 592 DEMB76D.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dbf4a2b38996ff3b5aded7751ccfc887_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\DEM6078.exe"C:\Users\Admin\AppData\Local\Temp\DEM6078.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\DEMB664.exe"C:\Users\Admin\AppData\Local\Temp\DEMB664.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\DEMBC4.exe"C:\Users\Admin\AppData\Local\Temp\DEMBC4.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\DEM620D.exe"C:\Users\Admin\AppData\Local\Temp\DEM620D.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\DEMB76D.exe"C:\Users\Admin\AppData\Local\Temp\DEMB76D.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Users\Admin\AppData\Local\Temp\DEMD3A.exe"C:\Users\Admin\AppData\Local\Temp\DEMD3A.exe"7⤵
- Executes dropped EXE
PID:2044
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5f15755f3361b852147f8aefee826289c
SHA1cbe84a631d9fcdf8f73a7adf3ddd6a34d0763de3
SHA256eb2009cf2761e0259c9e573f972405c4a408a67be08b160a11b3a04a26cc0035
SHA512050fcf88a426232bc1a9188d466134168efb54a6958d215df2d3109f75e1506dc23191d6b94c156b1686d6a74dc127c78e78b41bd628dff0276887f4fd4116a7
-
Filesize
14KB
MD5701e645d3b7c77bc0d2b271ae69f0323
SHA128f372fc0547093662f4ceefe516d3d2d089c496
SHA2568e1d82bdbba763d31b6236301632773d4abdf01ab20dcc5b6af801e8191d2085
SHA512e80ea4e1354f6c3516cdf853573112f0c9c6af4b785cba360c4e913fcecca849fb781be888e231e5f161db5623a9598967f74e80d5df05a06c5dde7bc559c72f
-
Filesize
14KB
MD5398f17a5011111c0b244e0b94546fad6
SHA11d457a8b0dfce4796a230c4e43cec7825aa487c4
SHA25693b2d304c3af9b9bcc362bd2eef606c808329db15f663b2374f81869cf440801
SHA51292e266e25a38b391b807bf3f840e7f0b49153d172d92983206453ec21ed90212685cfe319135b5b5cf81febc162d3ad77c53aa3b3bdb85915e17af757c3fcdf9
-
Filesize
14KB
MD521aa4e1907383264ff1121a924b8246b
SHA1d05fe4c46e8299dadfb528cdf6bcae8a42fb41fb
SHA25600f7e24338ca85459bd45e9cbce7869d2e7974c1400e38576336d738ce11159c
SHA512a2e34361baf66b630ea495078e69db6d7ceb59db437de946c67f3b506978f9291bf62b01a8a7048c8cc1e2cc2b94005038f0f738a0e3db9387602ad7fd90720b
-
Filesize
14KB
MD5d78436c9f66d1b5289e12754e9bb7d16
SHA1c8652a7c7cc05d815c9eaa0d90ea1a0702766143
SHA256ae97eae5c4d3233a52c15fbb18ec4c52d0d182bf80e75f8f13da476fcaae1e2b
SHA5120d7537083a4a67c240cd1d58d66801002c02fe160575a34c81a3346ab3601257ba9290d9d2407a5819c10aa6f5607fe0ee50672fd3a8b7473a3d7d3e4622264b
-
Filesize
14KB
MD54993bcc5f65b81b8aa6897f79100fe05
SHA12d4447fc0af02197a962e229d0420432c79dc2b1
SHA256d52646ee78c69054da962f6d5db7075e9ba14d88ceb1bd42f55b2b76b5a6645e
SHA512daabd58bf5eea1ed70feb6d40ce5c54cf87839ca3b98c83180c3ade4695f16d74c34bc0774aff057af7e2613dd730b955cac8e6236eecebd132dc82b0b450dac