Analysis
-
max time kernel
131s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 23:52
Static task
static1
Behavioral task
behavioral1
Sample
f49a9496d018c7159decc8ad37f416ea_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f49a9496d018c7159decc8ad37f416ea_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f49a9496d018c7159decc8ad37f416ea_JaffaCakes118.exe
-
Size
14KB
-
MD5
f49a9496d018c7159decc8ad37f416ea
-
SHA1
5f90cde082dc1dd7db2116ffd65228d42799da55
-
SHA256
30999808b642df4ea7713c9dec72678ace5de30f221540bbd78b49fb43a75f26
-
SHA512
4127e32f964226a72335eec93a31efea482e5a113fabcbc62e8298a3f8a638566a0429be158f2f509ca3c4912a55f1cf414b2e168da497947d765c91f8429fa4
-
SSDEEP
384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4Yhhi5:hDXWipuE+K3/SSHgxLi5
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2604 DEME91.exe 2476 DEM648D.exe 2960 DEMBA5A.exe 1208 DEM1017.exe 1028 DEM6548.exe 1100 DEMBA89.exe -
Loads dropped DLL 6 IoCs
pid Process 2984 f49a9496d018c7159decc8ad37f416ea_JaffaCakes118.exe 2604 DEME91.exe 2476 DEM648D.exe 2960 DEMBA5A.exe 1208 DEM1017.exe 1028 DEM6548.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2984 wrote to memory of 2604 2984 f49a9496d018c7159decc8ad37f416ea_JaffaCakes118.exe 29 PID 2984 wrote to memory of 2604 2984 f49a9496d018c7159decc8ad37f416ea_JaffaCakes118.exe 29 PID 2984 wrote to memory of 2604 2984 f49a9496d018c7159decc8ad37f416ea_JaffaCakes118.exe 29 PID 2984 wrote to memory of 2604 2984 f49a9496d018c7159decc8ad37f416ea_JaffaCakes118.exe 29 PID 2604 wrote to memory of 2476 2604 DEME91.exe 31 PID 2604 wrote to memory of 2476 2604 DEME91.exe 31 PID 2604 wrote to memory of 2476 2604 DEME91.exe 31 PID 2604 wrote to memory of 2476 2604 DEME91.exe 31 PID 2476 wrote to memory of 2960 2476 DEM648D.exe 35 PID 2476 wrote to memory of 2960 2476 DEM648D.exe 35 PID 2476 wrote to memory of 2960 2476 DEM648D.exe 35 PID 2476 wrote to memory of 2960 2476 DEM648D.exe 35 PID 2960 wrote to memory of 1208 2960 DEMBA5A.exe 37 PID 2960 wrote to memory of 1208 2960 DEMBA5A.exe 37 PID 2960 wrote to memory of 1208 2960 DEMBA5A.exe 37 PID 2960 wrote to memory of 1208 2960 DEMBA5A.exe 37 PID 1208 wrote to memory of 1028 1208 DEM1017.exe 39 PID 1208 wrote to memory of 1028 1208 DEM1017.exe 39 PID 1208 wrote to memory of 1028 1208 DEM1017.exe 39 PID 1208 wrote to memory of 1028 1208 DEM1017.exe 39 PID 1028 wrote to memory of 1100 1028 DEM6548.exe 41 PID 1028 wrote to memory of 1100 1028 DEM6548.exe 41 PID 1028 wrote to memory of 1100 1028 DEM6548.exe 41 PID 1028 wrote to memory of 1100 1028 DEM6548.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\f49a9496d018c7159decc8ad37f416ea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f49a9496d018c7159decc8ad37f416ea_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\DEME91.exe"C:\Users\Admin\AppData\Local\Temp\DEME91.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\DEM648D.exe"C:\Users\Admin\AppData\Local\Temp\DEM648D.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\DEMBA5A.exe"C:\Users\Admin\AppData\Local\Temp\DEMBA5A.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\DEM1017.exe"C:\Users\Admin\AppData\Local\Temp\DEM1017.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\DEM6548.exe"C:\Users\Admin\AppData\Local\Temp\DEM6548.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\DEMBA89.exe"C:\Users\Admin\AppData\Local\Temp\DEMBA89.exe"7⤵
- Executes dropped EXE
PID:1100
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5cc394ecda14698e3fca34492988075d1
SHA1c7471f998be2fe577bec76a07fe3938060bde66f
SHA25631b95d9ad21df9bcda629c4cdeee7913644c2b0e9e5c335d975388355546adcc
SHA51228501ed17b335f34658f51bacce98c63d89810800c61815ccfdefd4c24e83837b1ff485e20492cbfb84a4b6248fc6478e1e1dfe0334cd7a370698b6c1a74d8c2
-
Filesize
14KB
MD5c2d7ff1799bd339df13fbe0900412b2d
SHA1e25cd6f66cff4627ada27811d3e4cbef9a4d3c43
SHA25638ef4d9a3635d11957f7238df6300c519e4addf1920a1f54bafcf8015a55ead1
SHA51209cb94b34a1d6c8459557c801390d8c94a67451fb222a80f751a845176b0b9bf06448149fe73a60367926271ca202765d25e06b8594b63aeb8731d9648c443dd
-
Filesize
14KB
MD52b942eea24e312db65701724f6c48618
SHA1750c1531816e87f121b67561bb95ad7fb8c6267a
SHA256a30e65c2488da3f870d94d40d52e86d7fb6d1a4db2a972c7d3a1a56dc26266a7
SHA5126a3dc869acfea0542ae476305229f7c7fb9a807196dc9cd54143ad86c2885323156e280dfb3fa8c638cb0449e80a73d1994149dc577ae68e2aabcb3cc0d7ed26
-
Filesize
14KB
MD59af5b637b8d59af5a82e527141139dc7
SHA15c27387eecb88a31dcd8e5cbf5c9106b66fea878
SHA256493b18adc7c1cdde8111158b83953de1ebd17632b6afdaaedeed6ab737c88dea
SHA512b362dd915b2be1c88fa0fb4fe4a3a0778400cebb2e51fd5699b8b49f4fabed5b86b041737ab926b7ad76c1a2a31eb2e210b11a155e8e8ca9f11a5f2433b88b0c
-
Filesize
14KB
MD569667968d11db13ec338e5879a479e14
SHA1985f2e298f5e3f82aee06992c19da061de0433f4
SHA256f3538548fa45af4539394f8a054c93f9e766d4607915be3868798b0c1443a756
SHA5126ac9c5065cc62eec83f85fe134666501c5cb827d503d45a482999c5206e9bb037b157f0afac2289903ffc02e5dc5bbc59665096f37dedf8bbfbaa53d786fd238
-
Filesize
14KB
MD5658069becc98ec3a476423d6b96681a3
SHA196276153b151bb0ec0462cf893dc8763d16bff1b
SHA256c600fbf4d090b3042557a9eea2db144bf048b210f6854f684d2822c4bec8f81f
SHA512b2c5051a8a59a459d15d69bcbbc2bf602d4e4fc18cc1931f3539b6fdfecee5b728c289e2201fb7ef24f9422dfbc7777b3e870828cf626c0f402c7abdc57fe1c6