Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 05:42
Static task
static1
Behavioral task
behavioral1
Sample
e95aa7448831dd073ed1b2767d021b04_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e95aa7448831dd073ed1b2767d021b04_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e95aa7448831dd073ed1b2767d021b04_JaffaCakes118.exe
-
Size
385KB
-
MD5
e95aa7448831dd073ed1b2767d021b04
-
SHA1
ce8a692d7f49bce4cc1e9925173383e703b6e096
-
SHA256
cfffc467f24e3372dbb1fc43fffc92918ca781fed0509b9f6da8b6cf4f074e40
-
SHA512
ca3e4105903658798b97944ec5c022f4fcbd8d8bb95f7ebac4e8578a8d65b26b5aa8a8dd4dcaec4cd280a064e93a63eae8ea510df90fcafa495d53cd2779aebf
-
SSDEEP
6144:nIctPK94yphe//2wVyK/p6tGQHYbdYEnVujOEDo2D/17O1uk59n9IbMsNB3VB:nIcGFp0//xJkQ0YejzSuSn8RB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4816 e95aa7448831dd073ed1b2767d021b04_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4816 e95aa7448831dd073ed1b2767d021b04_JaffaCakes118.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 pastebin.com 6 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1116 e95aa7448831dd073ed1b2767d021b04_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1116 e95aa7448831dd073ed1b2767d021b04_JaffaCakes118.exe 4816 e95aa7448831dd073ed1b2767d021b04_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1116 wrote to memory of 4816 1116 e95aa7448831dd073ed1b2767d021b04_JaffaCakes118.exe 85 PID 1116 wrote to memory of 4816 1116 e95aa7448831dd073ed1b2767d021b04_JaffaCakes118.exe 85 PID 1116 wrote to memory of 4816 1116 e95aa7448831dd073ed1b2767d021b04_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\e95aa7448831dd073ed1b2767d021b04_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e95aa7448831dd073ed1b2767d021b04_JaffaCakes118.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\e95aa7448831dd073ed1b2767d021b04_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e95aa7448831dd073ed1b2767d021b04_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5b1f7cc4f09ba699bb71180ca635ce62d
SHA1ce52d4655c4e8c9b2fc9e4b731615ca445f18fc9
SHA2566d1f03cb7ad4bea6c069ec7701f45b5afbb4eddc50b53241566f9585c0f6f524
SHA512de4a4f3809eb2e4dd79163c60e32764cf30e973dbfb84558e94d7c9d855b5be982599158697aead5ec9c779bbdf279afe09b1d72474c07c4dbd777794181c5ff