Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
11/04/2024, 09:50
Static task
static1
Behavioral task
behavioral1
Sample
ed23abcbc1b29979d493f96e81949c19_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ed23abcbc1b29979d493f96e81949c19_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
ed23abcbc1b29979d493f96e81949c19_JaffaCakes118.exe
-
Size
457KB
-
MD5
ed23abcbc1b29979d493f96e81949c19
-
SHA1
8c24f0fa686a138e8201111d1cb27e51a07aa21e
-
SHA256
f37b886af5ac967a930182530840f9aa8d8a23d8ad2bae1b707fd5c341ba115f
-
SHA512
879f6c42ccc307996ea0dddb403298524e5e9675cc842461a614b9a995bc3270d9d40bca4c5f9ddeb0d23b2e6a84b350af3ff3354df590b0913304141656cfd7
-
SSDEEP
6144:5XS4qa4kF2muihncrFUhySHWPvANVHi1kvGPre7mFsjcLtJewrsacT+dPuOFZUkF:5OyVDnK0ySHAvKU1C6GnutJsoZauy1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2312 winine.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ieapfltr.dat ed23abcbc1b29979d493f96e81949c19_JaffaCakes118.exe File created C:\Windows\SysWOW64\winine.exe ed23abcbc1b29979d493f96e81949c19_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\winine.exe ed23abcbc1b29979d493f96e81949c19_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ieapfltr.dat winine.exe File opened for modification C:\Windows\SysWOW64\winine.exe winine.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 836 ed23abcbc1b29979d493f96e81949c19_JaffaCakes118.exe Token: SeDebugPrivilege 2312 winine.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed23abcbc1b29979d493f96e81949c19_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed23abcbc1b29979d493f96e81949c19_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:836
-
C:\Windows\SysWOW64\winine.exeC:\Windows\SysWOW64\winine.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2312
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
457KB
MD5ed23abcbc1b29979d493f96e81949c19
SHA18c24f0fa686a138e8201111d1cb27e51a07aa21e
SHA256f37b886af5ac967a930182530840f9aa8d8a23d8ad2bae1b707fd5c341ba115f
SHA512879f6c42ccc307996ea0dddb403298524e5e9675cc842461a614b9a995bc3270d9d40bca4c5f9ddeb0d23b2e6a84b350af3ff3354df590b0913304141656cfd7