Analysis
-
max time kernel
136s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 15:14
Behavioral task
behavioral1
Sample
fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exe
-
Size
286KB
-
MD5
fd0d03155e0ca6a4b809b25e6d1e09d7
-
SHA1
2af28e4344bd040f28a59b314b79ae0eda126505
-
SHA256
bdc422ab36507ec9a16f0a34e37117999e227f2fb7f6731100e0f8c3927e464f
-
SHA512
47856fd4416303a1f8f4d9f95269fffeb1d09cb1476bf55762c7efd9cb70c33e53e41e261f533f82a6818c21e919dd62d4dc2681daf5c636cf95cff369cf982f
-
SSDEEP
6144:P3iLI/fNefYe2QULvWlmzSfZKs3fwAzvr6aYMvxDrYmFon:drL+cSfZKs3hX6pMJP/FO
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3bf41072-b2b1-21c1-b5c1-0305f4155515}\StubPath = "C:\\Windows\\V_Server.exe" fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3bf41072-b2b1-21c1-b5c1-0305f4155515} fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exedescription ioc process File created C:\Windows\V_Server.exe fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exe File opened for modification C:\Windows\V_Server.exe fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exedescription pid process target process PID 1488 wrote to memory of 2008 1488 fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exe iexplore.exe PID 1488 wrote to memory of 2008 1488 fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exe iexplore.exe PID 1488 wrote to memory of 3580 1488 fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exe cmd.exe PID 1488 wrote to memory of 3580 1488 fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exe cmd.exe PID 1488 wrote to memory of 3580 1488 fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" ¨Á2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /F "C:\Users\Admin\AppData\Local\Temp\fd0d03155e0ca6a4b809b25e6d1e09d7_JaffaCakes118.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1488-0-0x0000000000400000-0x000000000050574A-memory.dmpFilesize
1.0MB
-
memory/1488-1-0x0000000000400000-0x000000000050574A-memory.dmpFilesize
1.0MB
-
memory/1488-2-0x0000000000400000-0x000000000050574A-memory.dmpFilesize
1.0MB
-
memory/1488-3-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/1488-5-0x0000000000400000-0x000000000050574A-memory.dmpFilesize
1.0MB