Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 18:56
Static task
static1
Behavioral task
behavioral1
Sample
1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
1de77153b8ed0bc19f79036248df5621
-
SHA1
ded5307d06333b53a86e03cc02224b153910a84d
-
SHA256
ea37da43c3c832a93a2b35b5b3123701477856f54a8ab1cedd1fb327530a4310
-
SHA512
c6f9bc13403124f27c20afa3d601b3a4dac3371f180d38b992bd4e25ad9821c9de26b93f66d1fc27377536273a88e3e460512f1fb7040f80921e2c9672e316ac
-
SSDEEP
49152:wc830v9NCqv6zD6YoMKGEvlsGiDykA8fySqs9uI2rChl:A30v97RTGEts1ykASDqcD
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2944 Microsoft.exe 2588 File.exe -
Loads dropped DLL 6 IoCs
pid Process 2904 1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe 2904 1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe 2944 Microsoft.exe 2944 Microsoft.exe 2904 1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe 2944 Microsoft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2904 1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe 2944 Microsoft.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2904 1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe Token: SeDebugPrivilege 2944 Microsoft.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2944 2904 1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe 28 PID 2904 wrote to memory of 2944 2904 1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe 28 PID 2904 wrote to memory of 2944 2904 1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe 28 PID 2904 wrote to memory of 2944 2904 1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe 28 PID 2904 wrote to memory of 2572 2904 1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe 29 PID 2904 wrote to memory of 2572 2904 1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe 29 PID 2904 wrote to memory of 2572 2904 1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe 29 PID 2904 wrote to memory of 2572 2904 1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe 29 PID 2572 wrote to memory of 2676 2572 cmd.exe 31 PID 2572 wrote to memory of 2676 2572 cmd.exe 31 PID 2572 wrote to memory of 2676 2572 cmd.exe 31 PID 2572 wrote to memory of 2676 2572 cmd.exe 31 PID 2944 wrote to memory of 2588 2944 Microsoft.exe 32 PID 2944 wrote to memory of 2588 2944 Microsoft.exe 32 PID 2944 wrote to memory of 2588 2944 Microsoft.exe 32 PID 2944 wrote to memory of 2588 2944 Microsoft.exe 32 PID 2944 wrote to memory of 2624 2944 Microsoft.exe 33 PID 2944 wrote to memory of 2624 2944 Microsoft.exe 33 PID 2944 wrote to memory of 2624 2944 Microsoft.exe 33 PID 2944 wrote to memory of 2624 2944 Microsoft.exe 33 PID 2624 wrote to memory of 2488 2624 cmd.exe 35 PID 2624 wrote to memory of 2488 2624 cmd.exe 35 PID 2624 wrote to memory of 2488 2624 cmd.exe 35 PID 2624 wrote to memory of 2488 2624 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1de77153b8ed0bc19f79036248df5621_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"3⤵
- Executes dropped EXE
PID:2588
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe.lnk " /f4⤵PID:2488
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MicrosoftUpdates\Microsoft.exe.lnk " /f3⤵PID:2676
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD527c0d8847cf9c01995d98b859c1ce1a7
SHA17e90992873d538c5fe8dc9bae310f21a1ad26107
SHA256041bfb806d735dc68e2fe143d4ef83194164f6ee5f56bd5e793b3d0ae372e187
SHA51204a134b1d929abcdde4ef6b9e38a64fbc72ce8f66c2750cd6515c9420d2e658f83b12b93b3dd3ab07c1be81a83ff29a9855e09fe798829b18564fc5804e47d7a
-
Filesize
1.0MB
MD536c4cec334ef23d1be8f41c38018fa02
SHA1cca0878895d0990af14e3b5ff434bd5ca5d9f864
SHA2560a1ad5541cebb570dcb272b6e3519fda98fdeca62f6f426fe445cc4f63448cea
SHA512a1aca735db5b536d4fb2c118d24b9bf11a6724caff2e715b9f37c7d45ae8a5185f15d797ec37398a92b3a6abdac7d759e1cec11203ec133a98e826cb125c3ab9
-
Filesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
Filesize
2.0MB
MD51de77153b8ed0bc19f79036248df5621
SHA1ded5307d06333b53a86e03cc02224b153910a84d
SHA256ea37da43c3c832a93a2b35b5b3123701477856f54a8ab1cedd1fb327530a4310
SHA512c6f9bc13403124f27c20afa3d601b3a4dac3371f180d38b992bd4e25ad9821c9de26b93f66d1fc27377536273a88e3e460512f1fb7040f80921e2c9672e316ac