Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 15:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe
Resource
win7-20240419-en
5 signatures
150 seconds
General
-
Target
2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe
-
Size
232KB
-
MD5
2564da359d80d04c9694514158ede3b2
-
SHA1
2530df461e454959891ea806c3ff15b6bf51d4ca
-
SHA256
45d879c2e5a55a5c9ac2da5e937e1b531a60ca5a863c44201e4be276ef593619
-
SHA512
d337278b7adf8d856b45d3f185dce95ed452595760368a579fd7e2e0a19e4fe37e04d4f301cc1050a2861f5a2b969144f6bdfeebf71ef1f5d6c37ecd73dd0cb6
-
SSDEEP
1536:KsNolkagL6YpgXBx7wJc68fN6Q+H2Ar5q2lM/xSr9uHObV:7olkP+ZxcJrH2A9DlmSmOJ
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe 228 tablepack.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2096 2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2096 wrote to memory of 228 2096 2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe 78 PID 2096 wrote to memory of 228 2096 2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe 78 PID 2096 wrote to memory of 228 2096 2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\tablepack.exe"C:\Windows\SysWOW64\tablepack.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:228
-