Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 15:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe
Resource
win7-20240215-en
5 signatures
150 seconds
General
-
Target
2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe
-
Size
232KB
-
MD5
2564da359d80d04c9694514158ede3b2
-
SHA1
2530df461e454959891ea806c3ff15b6bf51d4ca
-
SHA256
45d879c2e5a55a5c9ac2da5e937e1b531a60ca5a863c44201e4be276ef593619
-
SHA512
d337278b7adf8d856b45d3f185dce95ed452595760368a579fd7e2e0a19e4fe37e04d4f301cc1050a2861f5a2b969144f6bdfeebf71ef1f5d6c37ecd73dd0cb6
-
SSDEEP
1536:KsNolkagL6YpgXBx7wJc68fN6Q+H2Ar5q2lM/xSr9uHObV:7olkP+ZxcJrH2A9DlmSmOJ
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 3020 jitmdmaus.exe 3020 jitmdmaus.exe 3020 jitmdmaus.exe 3020 jitmdmaus.exe 3020 jitmdmaus.exe 3020 jitmdmaus.exe 3020 jitmdmaus.exe 3020 jitmdmaus.exe 3020 jitmdmaus.exe 3020 jitmdmaus.exe 3020 jitmdmaus.exe 3020 jitmdmaus.exe 3020 jitmdmaus.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1888 2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1888 wrote to memory of 3020 1888 2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe 28 PID 1888 wrote to memory of 3020 1888 2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe 28 PID 1888 wrote to memory of 3020 1888 2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe 28 PID 1888 wrote to memory of 3020 1888 2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2564da359d80d04c9694514158ede3b2_JaffaCakes118.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\jitmdmaus.exe"C:\Windows\SysWOW64\jitmdmaus.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020
-