Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19/04/2024, 23:11
Static task
static1
Behavioral task
behavioral1
Sample
fb603a119a5714bf2fa79e64f67dceda_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fb603a119a5714bf2fa79e64f67dceda_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fb603a119a5714bf2fa79e64f67dceda_JaffaCakes118.exe
-
Size
332KB
-
MD5
fb603a119a5714bf2fa79e64f67dceda
-
SHA1
2b7372dccc857bb55d571f2dd95c54fa7e8e1e66
-
SHA256
7d8f26dcaa7aaa7fb02680772ab17380e88aadb06dc3033bd06658856ef0272d
-
SHA512
3712b43a2f90188fb75a6893125b9f9ea4ed3ff969c787353c6c73086cf45eb02dde6d3914436ab0b521cfdfa5efe8d9ba0bfc462d307eefd5688692f7623439
-
SSDEEP
6144:/itlyU+eCLtUT2HdPe/5xag5BaNvSGh1L7oTVyGqol:4P0e2cBxa6aNaGT7oTVx
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2868 anhxrcb.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\anhxrcb.exe fb603a119a5714bf2fa79e64f67dceda_JaffaCakes118.exe File created C:\PROGRA~3\Mozilla\fqurfhn.dll anhxrcb.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1364 fb603a119a5714bf2fa79e64f67dceda_JaffaCakes118.exe 2868 anhxrcb.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2868 2268 taskeng.exe 29 PID 2268 wrote to memory of 2868 2268 taskeng.exe 29 PID 2268 wrote to memory of 2868 2268 taskeng.exe 29 PID 2268 wrote to memory of 2868 2268 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb603a119a5714bf2fa79e64f67dceda_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb603a119a5714bf2fa79e64f67dceda_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1364
-
C:\Windows\system32\taskeng.exetaskeng.exe {6FB5DBE2-5BF9-49F8-8B1D-424117B80C34} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\PROGRA~3\Mozilla\anhxrcb.exeC:\PROGRA~3\Mozilla\anhxrcb.exe -wxojhrj2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
332KB
MD5f435669dde8b6c06a0ccec9cf2364a7a
SHA197cd992f1cb2a1b9ca4a157ba5f08ce8e91093ab
SHA256741e141aa83de413edb7187fd9af1c6d01575605d08c47bbfc4dc4e2f094432d
SHA512e68f7fe4caec1c442a0e84366793b39a93ad4e6e752950e7dd6378bee7d5b440b89831d17352418fd2081cf9e824bbd61aec007b76436c6b8218c684bd8a6dff