Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/04/2024, 13:01
Behavioral task
behavioral1
Sample
e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe
Resource
win10v2004-20231215-en
General
-
Target
e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe
-
Size
13KB
-
MD5
e7853ebec5f438d537e1f0d59daef2b7
-
SHA1
a3630f7c39503e1b3c7bf6393af6dffccd7b9782
-
SHA256
1b5723422fd107ecac103455ec79c881d4785970d33cc375f8de146267126ab8
-
SHA512
79811c6e6fc74e71f26d67eb221ee39ee86f7c563fcfc9d56f2d5847b9b8df02eb60316cd484d9368b1c8c4374c18f9c2dd8dd037ab6a923595a481d0d8f3534
-
SSDEEP
384:s5wfWyQB/pbXkaegjYWBX12fnaNJawcudoD7UM:AwfqXkaLYWBX12fanbcuyD7U
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2072 b2e.exe -
Loads dropped DLL 5 IoCs
pid Process 2868 e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe 2868 e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe 2964 WerFault.exe 2964 WerFault.exe 2964 WerFault.exe -
resource yara_rule behavioral1/memory/2868-0-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/2868-10-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2964 2072 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2072 2868 e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe 28 PID 2868 wrote to memory of 2072 2868 e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe 28 PID 2868 wrote to memory of 2072 2868 e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe 28 PID 2868 wrote to memory of 2072 2868 e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe 28 PID 2072 wrote to memory of 2964 2072 b2e.exe 29 PID 2072 wrote to memory of 2964 2072 b2e.exe 29 PID 2072 wrote to memory of 2964 2072 b2e.exe 29 PID 2072 wrote to memory of 2964 2072 b2e.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\118E.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\118E.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\118E.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\e7853ebec5f438d537e1f0d59daef2b7_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1243⤵
- Loads dropped DLL
- Program crash
PID:2964
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5746c4b919f32f705067adccc46748ed7
SHA126e228a986bdfe7219d8354b6f9cbc4c3637dcfe
SHA2565fcf4a4980b50f43a06ee1be36a01f2d922664beebd20bd5a2ef1a6a6b31b4c4
SHA512ec3d48b5e04d420a6e6bcab37d243dbd1c935d97f6cb6c383deeb19e27d820f1884ea3876937e6bffa03a298f71527f601288cdbe2fd5c2b0d29bd4d139fa0fc