Analysis
-
max time kernel
9s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2024, 18:40
Behavioral task
behavioral1
Sample
f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
f888ddf97885f6950cfc69db48f45089
-
SHA1
eaca51225311315c70b88d6fd6a5eaf8b4e4c908
-
SHA256
90d28068d7dbfc8d38b1ad3cc81c0d179199c9c999ff9c486cd6d783f60b6ad0
-
SHA512
fb86ea1e51de57fbc230ae9ba6e7bc8e19a95f35e9a785c652b4cda775f4145e85bed83bd6d74ea3381b04ce4499e1939f1c297824e9bff61c4c7c351da7d523
-
SSDEEP
49152:hDzbaYeXe8IcakLz0ibq6yqhhubDY0CgOnQvEn0bcakLz0ibq6yqh:Rb9edIcakcibiqhMbMgOn7n0bcakcibJ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 5032 f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 5032 f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3800-0-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral2/memory/5032-14-0x0000000000400000-0x000000000065C000-memory.dmp upx behavioral2/files/0x0008000000023259-12.dat upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 7 pastebin.com -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1852 schtasks.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3800 f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3800 f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe 5032 f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3800 wrote to memory of 5032 3800 f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe 91 PID 3800 wrote to memory of 5032 3800 f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe 91 PID 3800 wrote to memory of 5032 3800 f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe 91 PID 5032 wrote to memory of 1852 5032 f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe 92 PID 5032 wrote to memory of 1852 5032 f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe 92 PID 5032 wrote to memory of 1852 5032 f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe 92 PID 5032 wrote to memory of 3156 5032 f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe 94 PID 5032 wrote to memory of 3156 5032 f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe 94 PID 5032 wrote to memory of 3156 5032 f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe 94 PID 3156 wrote to memory of 2208 3156 cmd.exe 96 PID 3156 wrote to memory of 2208 3156 cmd.exe 96 PID 3156 wrote to memory of 2208 3156 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\f888ddf97885f6950cfc69db48f45089_JaffaCakes118.exe" /TN v3dGbWFyc353 /F3⤵
- Creates scheduled task(s)
PID:1852
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c schtasks.exe /Query /XML /TN v3dGbWFyc353 > C:\Users\Admin\AppData\Local\Temp\GvnNYKUXp.xml3⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Query /XML /TN v3dGbWFyc3534⤵PID:2208
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:1528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5daeeec10e0640f67c7ed19bb0f77c900
SHA1c5d380ca59bf982b0ef6289d6adfcdac8562e9ae
SHA2565335c8dc793f63f81689b5430511c73fe6b9fc9ce6405de74276775e2b2fce5a
SHA512a499002596e0bca02a9d13d1590d4e82385b16aa1b3bd018c429c53cbdc3daf674f7373d6fe7e7e7b6e81b475e83c60ae14cae5178da7cc59f1f12512b9bfe0c
-
Filesize
128KB
MD5b5ae11db1170da0b8f72cab2b02c51a3
SHA12fa27fc043a702aead890f88f0f64249218d7c94
SHA256a4da6be72c8014ed8d66c8847cdd2ce2ec51c64516eaf6e4d9970b724464d508
SHA512582366676025e24adea0b5e2d558d6834a343ddc92e086f68e06ad6200a451d5ab509e611f172ac96b6b15791dc6acb711dcf1d815a7371a48b245f9f0b56432