Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 22:18
Static task
static1
Behavioral task
behavioral1
Sample
26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe
-
Size
499KB
-
MD5
26fec1e25a99f0cee5e40a4cac55ea00
-
SHA1
184569c0e12c327183427c45d18daa8df89bcc33
-
SHA256
3c8030b45d07bafb36023df5de15f6a02a461f1ed73dbe7eb4e678bad20e718f
-
SHA512
4a328761596c5f7720ef1397427bb45c7ec22eda176d745ef46b3fd3133e667773a38b6a44e5c29ca669f0a7784818a9aa239a7d11fcc6a73d7e3c6afff4a2f9
-
SSDEEP
6144:q9xxtqe+fXzVuMCUJN9/hU7d8NAXxOuoORByciYJXI+Oq:Mx7H+fXz6UVhgjBOuoORBylYJ4
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4624 26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe 4624 26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe 1892 26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe 1892 26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe 3336 aerounity.exe 3336 aerounity.exe 1884 aerounity.exe 1884 aerounity.exe 1884 aerounity.exe 1884 aerounity.exe 1884 aerounity.exe 1884 aerounity.exe 1884 aerounity.exe 1884 aerounity.exe 1884 aerounity.exe 1884 aerounity.exe 1884 aerounity.exe 1884 aerounity.exe 1884 aerounity.exe 1884 aerounity.exe 1884 aerounity.exe 1884 aerounity.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1892 26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4624 wrote to memory of 1892 4624 26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe 87 PID 4624 wrote to memory of 1892 4624 26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe 87 PID 4624 wrote to memory of 1892 4624 26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe 87 PID 3336 wrote to memory of 1884 3336 aerounity.exe 92 PID 3336 wrote to memory of 1884 3336 aerounity.exe 92 PID 3336 wrote to memory of 1884 3336 aerounity.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26fec1e25a99f0cee5e40a4cac55ea00_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1892
-
-
C:\Windows\SysWOW64\aerounity.exe"C:\Windows\SysWOW64\aerounity.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\aerounity.exe"C:\Windows\SysWOW64\aerounity.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4408,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3740 /prefetch:81⤵PID:3308