Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2024, 11:05
Behavioral task
behavioral1
Sample
ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe
-
Size
15KB
-
MD5
ed46034ddd1b55c03dad43f51cf65ae3
-
SHA1
f21e112e880de9c6038da6b96a737faae4082b0e
-
SHA256
0455da8d01952f0709b32f6dbaf34b48d9753ae034b0874bc3cc9dc4ef856080
-
SHA512
df7758aea0990b51a4a310ec5aab06dc08427e68a1a5f19560c85146a85dbba266204da095806b8483773861b1eac7cc7e1f8b47dd9840b6666ed46cb378664e
-
SSDEEP
384:MkxO70M1uhxbnUicuK7hS6nXUyzdXAy5Hv:TA9uzbMuguQ
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\some = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe" ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2480 scm.exe -
resource yara_rule behavioral2/memory/2408-0-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/2408-5-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2480 scm.exe 2480 scm.exe 2480 scm.exe 2480 scm.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2480 scm.exe 2480 scm.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2480 scm.exe 2480 scm.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2480 scm.exe 2480 scm.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2480 scm.exe 2480 scm.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2480 scm.exe 2480 scm.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2480 scm.exe 2480 scm.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2480 scm.exe 2480 scm.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2480 scm.exe 2480 scm.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2480 scm.exe 2480 scm.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2480 scm.exe 2480 scm.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2480 scm.exe 2480 scm.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2480 scm.exe 2480 scm.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2480 scm.exe 2480 scm.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2480 scm.exe 2480 scm.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2480 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 84 PID 2408 wrote to memory of 2480 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 84 PID 2408 wrote to memory of 2480 2408 ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed46034ddd1b55c03dad43f51cf65ae3_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\scm.exeC:\Users\Admin\AppData\Local\Temp\scm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5a86e481c0dfc355c94aa23aaf44cf566
SHA15d5ffc4a9cf70b5c0881bb61ccd3987cbd7c0178
SHA2568f7b3d8c7838e5ca6f969697be8a94bf836a0dea5cf22cec280942bd8bb7c1be
SHA5128f238ad5d3c0991b8a5c3295c56e2c12bf6bd2c4991f616b682d6c6bf788acdfa1638a248c1fabe6b5df74ee740bf8814b08057bc539151514194a89803ad115