Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 23:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe
Resource
win7-20240508-en
7 signatures
150 seconds
General
-
Target
273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe
-
Size
144KB
-
MD5
273291567a770579ce3dc6917e1b4402
-
SHA1
46a9e2139d2021b2ca68c84fe53a7f798f9b0bc7
-
SHA256
a12e6a57bafb85c0d8eeb15d71697b09be4a0222ed897fc05b573d57a2593ac2
-
SHA512
1b966a4ca2103656e1a736ec0629f90364c68f66b3b13b0ff04f7b5ea8d3026c5fe3106113b8ad638335771d019ccc690d420b23a23bc867a86f9d808870e31b
-
SSDEEP
3072:MJiOVZaic4INE9+j8ocr2i+hF3ijB4QMr3:MJtVZ1cJGIj8YMB4F
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2420 273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe 2420 273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe 1520 273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe 1520 273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe 4924 dasmrctuip.exe 4924 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe 2012 dasmrctuip.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1520 273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2420 wrote to memory of 1520 2420 273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe 87 PID 2420 wrote to memory of 1520 2420 273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe 87 PID 2420 wrote to memory of 1520 2420 273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe 87 PID 4924 wrote to memory of 2012 4924 dasmrctuip.exe 96 PID 4924 wrote to memory of 2012 4924 dasmrctuip.exe 96 PID 4924 wrote to memory of 2012 4924 dasmrctuip.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3124,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:81⤵PID:4804
-
C:\Windows\SysWOW64\dasmrctuip.exe"C:\Windows\SysWOW64\dasmrctuip.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\dasmrctuip.exe"C:\Windows\SysWOW64\dasmrctuip.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012
-