Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 14:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe
Resource
win7-20240220-en
7 signatures
150 seconds
General
-
Target
254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe
-
Size
358KB
-
MD5
254a71ecd4cfdda3cc5119029f277743
-
SHA1
7fcf7a67735c7a990cd8995a0c800940eb9f3b62
-
SHA256
556be9d0efd9bdccd689c7ec6732b1562bc121cb70902456909e94aae4a68488
-
SHA512
673676351c2c63429b8b3630fcc29bad24c6f4c3e3078d8a36768d15738cb78306bd4008c4c403a7c0b5ecd6aee47c8e73a77f9e6f0cedad1fc1337fe1e50d98
-
SSDEEP
3072:ZNvVSf/Sx0vK/HVohSDTC1WyE00WSqoOcdXeWFa2s0kEAu3awPIOkAQxouA:d21W86qmdXzF5sfEr3ZPDkA
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1700 254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe 1700 254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe 1524 254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe 1524 254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe 1660 alaskauuidgen.exe 1660 alaskauuidgen.exe 1904 alaskauuidgen.exe 1904 alaskauuidgen.exe 1904 alaskauuidgen.exe 1904 alaskauuidgen.exe 1904 alaskauuidgen.exe 1904 alaskauuidgen.exe 1904 alaskauuidgen.exe 1904 alaskauuidgen.exe 1904 alaskauuidgen.exe 1904 alaskauuidgen.exe 1904 alaskauuidgen.exe 1904 alaskauuidgen.exe 1904 alaskauuidgen.exe 1904 alaskauuidgen.exe 1904 alaskauuidgen.exe 1904 alaskauuidgen.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1524 254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1700 wrote to memory of 1524 1700 254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe 77 PID 1700 wrote to memory of 1524 1700 254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe 77 PID 1700 wrote to memory of 1524 1700 254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe 77 PID 1660 wrote to memory of 1904 1660 alaskauuidgen.exe 79 PID 1660 wrote to memory of 1904 1660 alaskauuidgen.exe 79 PID 1660 wrote to memory of 1904 1660 alaskauuidgen.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1524
-
-
C:\Windows\SysWOW64\alaskauuidgen.exe"C:\Windows\SysWOW64\alaskauuidgen.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\alaskauuidgen.exe"C:\Windows\SysWOW64\alaskauuidgen.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904
-