Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
05-05-2024 09:07
Behavioral task
behavioral1
Sample
40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe
-
Size
29KB
-
MD5
40664b52e67d7256a282d947ea85fe2d
-
SHA1
3f92b30e065cfa7bd22fe663d80f727bd6fdebad
-
SHA256
21797e18dd8010b1f0140b5673ffe9e97a954246a866653a82102ed0b5404d94
-
SHA512
71c5a0e26c1ae74be1a7201d942c2ffcb11433375ddb470fd7035680c1556807259256c5d3f9df40363a0fc137cf528ffb28c111a859595218cd801e0119605c
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/PF:AEwVs+0jNDY1qi/ql
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1256 services.exe -
resource yara_rule behavioral1/memory/2008-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/files/0x0030000000013adc-6.dat upx behavioral1/memory/1256-11-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2008-9-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2008-17-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/1256-18-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1256-23-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1256-30-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1256-32-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1256-37-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1256-42-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1256-44-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2008-48-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/1256-49-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2008-53-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/1256-54-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/files/0x0005000000004ed7-64.dat upx behavioral1/memory/2008-72-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/1256-73-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2008-76-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/1256-77-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2008-81-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/1256-82-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/1256-84-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2008-88-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral1/memory/1256-89-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\java.exe 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe File created C:\Windows\services.exe 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe File opened for modification C:\Windows\java.exe 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2008 wrote to memory of 1256 2008 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe 28 PID 2008 wrote to memory of 1256 2008 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe 28 PID 2008 wrote to memory of 1256 2008 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe 28 PID 2008 wrote to memory of 1256 2008 40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\40664b52e67d7256a282d947ea85fe2d_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1256
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5c1affe614db0ff2fefa641e1079cbea4
SHA1c382f345521b80709834cd43865ec110a92d62cb
SHA256fcdad7593a7e803bf996b563bedec657e8ca2cdf4fe5f2d13ffed30ee010d97c
SHA512945d4ec11dfa1fb736be27adc4f1dff1acb8e35a1e4313b2a44a32573af9417b9155f65867741f0be2809c86340d0352bf83f050d2724353fa391492cc907051
-
Filesize
320B
MD5dbcddce6a94377fffd859fb7b3180e03
SHA1c8b7cb8b17e8d3e1913a5c303721225b20a285f1
SHA25607a5037ad68ed3f583afd22aa6b13376541ccae1e931b18a52c93b79b3f11150
SHA51239cdf711fb274bdbbd5fe2ae5dc77dde19a2d9706ea407b302e2f11ca9c69d9f8b28ec58650b9e5080c15e0489942d9e7fd6f3967e0a98397f0cb2c311e2c894
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2