Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 11:11
Behavioral task
behavioral1
Sample
ff264fecdf87275193da33264fab1137_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
ff264fecdf87275193da33264fab1137_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
ff264fecdf87275193da33264fab1137_JaffaCakes118.exe
-
Size
604KB
-
MD5
ff264fecdf87275193da33264fab1137
-
SHA1
3e220e3f0091ef12372adc786cf4f4a89681f77d
-
SHA256
e23453578724a3344c479a8b8b681281c1e0c3234e8c7032397f262d969ec7e2
-
SHA512
fbf517b0c24b5c379d3232591cb0ca4254be6c3cbd1e220ca12772cb1aea5477d1804b92238881454a9a2f19db9dbb310d4c4fb05263d843493a3ce69a8d3bb7
-
SSDEEP
6144:efGGBGgkDWNTTHKpedc2+WzddS1XAMi/vS7Uug:SBG8VHKcdc27zddS1XAMiq
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2656 cmd.exe -
resource yara_rule behavioral1/memory/3004-0-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/memory/3004-31-0x0000000000400000-0x0000000000499000-memory.dmp upx behavioral1/files/0x000b0000000153c7-34.dat upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3004 set thread context of 3032 3004 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 28 -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2708 reg.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3004 wrote to memory of 3032 3004 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 28 PID 3004 wrote to memory of 3032 3004 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 28 PID 3004 wrote to memory of 3032 3004 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 28 PID 3004 wrote to memory of 3032 3004 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 28 PID 3004 wrote to memory of 3032 3004 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 28 PID 3004 wrote to memory of 3032 3004 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 28 PID 3004 wrote to memory of 3032 3004 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 28 PID 3004 wrote to memory of 3032 3004 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 28 PID 3032 wrote to memory of 3052 3032 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 29 PID 3032 wrote to memory of 3052 3032 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 29 PID 3032 wrote to memory of 3052 3032 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 29 PID 3032 wrote to memory of 3052 3032 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 29 PID 3004 wrote to memory of 2656 3004 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 31 PID 3004 wrote to memory of 2656 3004 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 31 PID 3004 wrote to memory of 2656 3004 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 31 PID 3004 wrote to memory of 2656 3004 ff264fecdf87275193da33264fab1137_JaffaCakes118.exe 31 PID 3052 wrote to memory of 2708 3052 cmd.exe 33 PID 3052 wrote to memory of 2708 3052 cmd.exe 33 PID 3052 wrote to memory of 2708 3052 cmd.exe 33 PID 3052 wrote to memory of 2708 3052 cmd.exe 33 PID 3052 wrote to memory of 3016 3052 cmd.exe 34 PID 3052 wrote to memory of 3016 3052 cmd.exe 34 PID 3052 wrote to memory of 3016 3052 cmd.exe 34 PID 3052 wrote to memory of 3016 3052 cmd.exe 34 PID 3052 wrote to memory of 3016 3052 cmd.exe 34 PID 3052 wrote to memory of 3016 3052 cmd.exe 34 PID 3052 wrote to memory of 3016 3052 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff264fecdf87275193da33264fab1137_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ff264fecdf87275193da33264fab1137_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\ff264fecdf87275193da33264fab1137_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ff264fecdf87275193da33264fab1137_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Start.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f4⤵
- Modifies registry key
PID:2708
-
-
C:\Windows\SysWOW64\gpupdate.exegpupdate /force4⤵PID:3016
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\jnduf.bat2⤵
- Deletes itself
PID:2656
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200B
MD59cedeb0b293d2b5491225ef3d9eb2a8b
SHA1b607ef9bd319b6ec696c8dab8a314998d133298b
SHA2563fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08
SHA512ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc
-
Filesize
305B
MD59ce4b82e3b7d6ceaf3fa1096f75bdeef
SHA13ce1545529f99902e87ee1d1fae7253d74f12c1a
SHA25645d618672adbe68c9837e9014efab05ac12aecd7730675684ad582d667471343
SHA51259e673efa95579739b86b023d862db3a81375e3d5430afabee2e14297b6990ed079a4e6eb1525654734f9a6308bd0c848f1a47c271e5c5fda5aba20cd34f4742
-
Filesize
604KB
MD5492151910e78d959991d3197e129183f
SHA1478d2d41ff3a9236d948060ff8b613de13a0da26
SHA2563cdd04d78781be9a984af4df79ba25158e2ce90f258dd7ee0ce9f69e71d82a3c
SHA51202a101d5492e4dee8d69b4a4bfe2f47652a6b0acab2bd8ffc520620f6440615bc166ccbbd69a01dfeccac1a34cf732124072f167b71f352c1995a50becee219f