Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 12:21
Behavioral task
behavioral1
Sample
e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe
-
Size
16.6MB
-
MD5
e9fa19fb977b56defd431dad3ab7f58d
-
SHA1
6c4560c770106bd547667e5568dfc5b629bb5818
-
SHA256
bfa0a6a94f9f940232cad86f2ec9c1a52e5de7b8e29cd22681eed52df8f6ee20
-
SHA512
61f117667e4d1228254de5d500c246597e6401974998fa388b33e9af08c61d2c7a97637ce38df2a36736a02d50a5ccd09c57d1788292a3b7f20ba685681f16bf
-
SSDEEP
393216:y8j1ATZJ1RW0b4vhB1yZCvWyXrHrhqnB9E1V6r9IL/:r1+1q5B1v7bHrO94VUuL
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2812 PES2012Patch106.exe 2624 setup.exe -
Loads dropped DLL 2 IoCs
pid Process 2892 e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe 2892 e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe -
resource yara_rule behavioral1/files/0x000f000000015a98-6.dat themida behavioral1/memory/2812-11-0x0000000000400000-0x000000000047E889-memory.dmp themida -
resource yara_rule behavioral1/memory/2892-0-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2892-8-0x0000000003080000-0x00000000030FF000-memory.dmp upx behavioral1/memory/2892-106-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2892-108-0x0000000000400000-0x0000000000433000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2812 set thread context of 2516 2812 PES2012Patch106.exe 29 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\iexplore.exe:1 iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NTFS ADS 1 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\iexplore.exe:1 iexplore.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2812 2892 e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe 28 PID 2892 wrote to memory of 2812 2892 e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe 28 PID 2892 wrote to memory of 2812 2892 e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe 28 PID 2892 wrote to memory of 2812 2892 e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe 28 PID 2892 wrote to memory of 2812 2892 e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe 28 PID 2892 wrote to memory of 2812 2892 e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe 28 PID 2892 wrote to memory of 2812 2892 e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe 28 PID 2812 wrote to memory of 2516 2812 PES2012Patch106.exe 29 PID 2812 wrote to memory of 2516 2812 PES2012Patch106.exe 29 PID 2812 wrote to memory of 2516 2812 PES2012Patch106.exe 29 PID 2812 wrote to memory of 2516 2812 PES2012Patch106.exe 29 PID 2812 wrote to memory of 2516 2812 PES2012Patch106.exe 29 PID 2812 wrote to memory of 2516 2812 PES2012Patch106.exe 29 PID 2812 wrote to memory of 2516 2812 PES2012Patch106.exe 29 PID 2812 wrote to memory of 2516 2812 PES2012Patch106.exe 29 PID 2812 wrote to memory of 2516 2812 PES2012Patch106.exe 29 PID 2812 wrote to memory of 2612 2812 PES2012Patch106.exe 30 PID 2812 wrote to memory of 2612 2812 PES2012Patch106.exe 30 PID 2812 wrote to memory of 2612 2812 PES2012Patch106.exe 30 PID 2812 wrote to memory of 2612 2812 PES2012Patch106.exe 30 PID 2812 wrote to memory of 2612 2812 PES2012Patch106.exe 30 PID 2812 wrote to memory of 2612 2812 PES2012Patch106.exe 30 PID 2812 wrote to memory of 2612 2812 PES2012Patch106.exe 30 PID 2892 wrote to memory of 2624 2892 e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe 32 PID 2892 wrote to memory of 2624 2892 e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe 32 PID 2892 wrote to memory of 2624 2892 e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe 32 PID 2892 wrote to memory of 2624 2892 e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe 32 PID 2892 wrote to memory of 2624 2892 e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe 32 PID 2892 wrote to memory of 2624 2892 e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe 32 PID 2892 wrote to memory of 2624 2892 e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe 32 PID 2624 wrote to memory of 1476 2624 setup.exe 33 PID 2624 wrote to memory of 1476 2624 setup.exe 33 PID 2624 wrote to memory of 1476 2624 setup.exe 33 PID 2624 wrote to memory of 1476 2624 setup.exe 33 PID 2624 wrote to memory of 1476 2624 setup.exe 33 PID 2624 wrote to memory of 1476 2624 setup.exe 33 PID 2624 wrote to memory of 1476 2624 setup.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e9fa19fb977b56defd431dad3ab7f58d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\iss.tmp0\PES2012Patch106.exe"C:\Users\Admin\AppData\Local\Temp\iss.tmp0\PES2012Patch106.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Drops file in Program Files directory
- NTFS ADS
PID:2516
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\iss.tmp0\setup.bat3⤵PID:2612
-
-
-
C:\Users\Admin\AppData\Local\Temp\iss.tmp0\setup.exe"C:\Users\Admin\AppData\Local\Temp\iss.tmp0\setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /p "C:\Users\Admin\AppData\Local\Temp\{6A581F85-0AB3-430D-9C9E-0BA1F4F8D8C9}\Patch106.msp" REINSTALLMODE=omus REINSTALL=ALL SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\iss.tmp0" SETUPEXENAME="setup.exe"3⤵PID:1476
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e48def12f85132741735b067abadb174
SHA16ff1e37e25cd71d3825c553a44b746e2287c7bff
SHA256766a76524cc1a9f2d57a0bb15a42f8eb14c93cfe852cc0e48fb4964576e2b793
SHA512bdf14ab3bee25a49f19c71ac6b42e3abc8a492580817a0229648c77399ce2e88aa593adf6ee5f51aae0018b3fe9ea80c60dafe7b792a2cf2191211e9be214da9
-
Filesize
183B
MD5c1fe28641bfb1c5db668dbc1abb5fc6c
SHA19cfbe8922d10262ddda79057e17dc26ac3b97a4a
SHA256bdba16795d1c8314726ae86f9841d6297a937d62e81fa22d50caafd52e1dc981
SHA5122dd5aebc9e7175e7cb1f981742c9644316e7b655b490bf8b7fcead407761a2535ea4291f5e2610b22e8b73bfe7f4cde2d1638ee54d1162051eefe9bbc305b58c
-
Filesize
20KB
MD536affbd6ff77d1515cfc1c5e998fbaf9
SHA1950d00ecc2e7fd2c48897814029e8eedf6397838
SHA256fccc7f79d29318d8ae78850c262bac762c28858709a6e6cf3b62bcd2729a61e3
SHA5122f29de86d486db783872581a43a834e5064d1488bc3f085ddc5a3287eb9ee8a4ce93d66f7b4965cafb3c4f06b38d4b0fcfdc0fcb1f99d61331a808e5d6011808
-
Filesize
15.7MB
MD5bb729faf320043046711052c3211d378
SHA1495853a5a5f8040bcad55db6282b0a7e172d0f69
SHA256f9bdb2a3b7d7028b860cc28bda2cf259e238a6ebcc952d50a88c6f6decb760a0
SHA5124b86f3cfc4851b2dad32041d8a74347995e19b61f877105e10870dda355bba48b4a214616d8fe54a75b00a9ce85ac56e2d03a631aca9fff171960b880f4b4ce3
-
Filesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
Filesize
600B
MD5cd68fb7c1344dbfc7ea40c2207489ae4
SHA187f4cb149ba26189868b25e75ec2d6cfaf8804b7
SHA2563929ad865c4b34a82acd615cc0b9f83dac65a961f8bd0759a832fdb369d50b23
SHA51265102d2085d1a8bd3d56181bc91ec24a709d83ee5d0eb0f63881b643e18b40d1d10afed9249382b9945b308d1666481b34aad3a19ca5c9423e8fbc39a1899e6d
-
Filesize
4KB
MD58c802f13322ef60e098c08e01b9987ab
SHA19a986a2a07e072ab39ae7a0b9c230f1592c498e9
SHA256982c89ca9800c36870fa33a7fb3dd1634c0911f08f13dea702228e668d67cbec
SHA5129f21e38622a8c9a1876db51f8d03111acbdbdfb8f0d7a800565f311195b18a3ff301ed29986742ce0a3a9d40cc506e0fe399d67ffc2965457ccd96755b239fa0
-
Filesize
233KB
MD5777b643e9b61d7d240b867029a04547d
SHA13b0c4dc2eb5a6540eb214f035cce0da7876d9155
SHA256e42b216953ce10d8ce84b3e536f1119c494e15dd828dfe80aa9d95bc0261f7ea
SHA512956bb5fd11f7f40284b3c1f4891b71cececeab57f7dbca025b716d9033cd8eac281320dafcdbf96a9421731efe0baf6b994013e899f92cb7d88d68067bb72572
-
Filesize
16.5MB
MD507e79ffa8d7e3148c9c16537d97d10ff
SHA1fdf1651c88e27da4b433497c420212b1e33cedf0
SHA256698761f785aede8281bd10ee1fbd2bb5a4f350ae1c18a2119aac78e6785412a8
SHA51271518e653702d3cdd783b79f071ca715d019c88c229dddc86698e4a2f9b6c56b36eb132788c2eadc3987355941c15c55df7b070f693f3561e116261f148d55be