Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-04-2024 12:08
Static task
static1
Behavioral task
behavioral1
Sample
ed636897081ed24777d1dc75563a71d5_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ed636897081ed24777d1dc75563a71d5_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
ed636897081ed24777d1dc75563a71d5_JaffaCakes118.exe
-
Size
385KB
-
MD5
ed636897081ed24777d1dc75563a71d5
-
SHA1
6d4e958009338821607dafba62b7bd15bd497a32
-
SHA256
abc8f71dac001f77639e23417e61f49bb1c7bff1a6170190bb7987ac8f8ccc8f
-
SHA512
7b1337504c59e47b73f0a48bb5fd7a747d50d7d0b4eb48d20addc9eb00c039e45a3bf04af79308eb9e735352098a3f592c0886a068180c5973f91f44fd2b8bb7
-
SSDEEP
6144:jhlB6TwS3Fn3BORpiZXsEceW/4YqPP9yIf0c5Q6zquFUqZIitQnQryoB:jhl2t0GXsEU/4Yq7f0cHmuFUjoQnQr3B
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4896 ed636897081ed24777d1dc75563a71d5_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4896 ed636897081ed24777d1dc75563a71d5_JaffaCakes118.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 pastebin.com 7 pastebin.com -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4932 ed636897081ed24777d1dc75563a71d5_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4932 ed636897081ed24777d1dc75563a71d5_JaffaCakes118.exe 4896 ed636897081ed24777d1dc75563a71d5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4932 wrote to memory of 4896 4932 ed636897081ed24777d1dc75563a71d5_JaffaCakes118.exe 83 PID 4932 wrote to memory of 4896 4932 ed636897081ed24777d1dc75563a71d5_JaffaCakes118.exe 83 PID 4932 wrote to memory of 4896 4932 ed636897081ed24777d1dc75563a71d5_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed636897081ed24777d1dc75563a71d5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed636897081ed24777d1dc75563a71d5_JaffaCakes118.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\ed636897081ed24777d1dc75563a71d5_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ed636897081ed24777d1dc75563a71d5_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5a30147baa37522c5e3c61730113d4f3c
SHA1a0122c9314a412af468806a35e93577eb62b1834
SHA256fd31f9e0362968b7fa7f68776a3e5dfa472dc4bd816ca77f520d72fa21835eb7
SHA51293d68c823e40d0d793059564f29c7ee13322f3d86a3c4cead857bce10c0b0026f3433012cfb9031a7c3daf90e4d2ebac35538923b6709bf9cbe8e95f975712cd