Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 15:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe
Resource
win7-20240221-en
7 signatures
150 seconds
General
-
Target
2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe
-
Size
459KB
-
MD5
2599715e41108a239dbb2168409a45e2
-
SHA1
70d64469924d04541e83b603f6e96649f18d9c36
-
SHA256
f8fa091e213aa5cbeac224f8af4337f891ca719c2769ea84f30af31944e5a01d
-
SHA512
2ed7f496519cd8771b9ffc64be8dfa7cca53eb540ba2cec912359519053e7cdbd9ff66531761d584d0a730710f5c8c4102e993747dbde99cec03da92dca09201
-
SSDEEP
6144:132grmZzPSC5gRi8d3VGHnWtkwaauFHgPvbkqqM:sgqZLpD8dFwnWCEu6ruM
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 3444 2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe 3444 2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe 1204 2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe 1204 2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe 2424 channelmontana.exe 2424 channelmontana.exe 2160 channelmontana.exe 2160 channelmontana.exe 2160 channelmontana.exe 2160 channelmontana.exe 2160 channelmontana.exe 2160 channelmontana.exe 2160 channelmontana.exe 2160 channelmontana.exe 2160 channelmontana.exe 2160 channelmontana.exe 2160 channelmontana.exe 2160 channelmontana.exe 2160 channelmontana.exe 2160 channelmontana.exe 2160 channelmontana.exe 2160 channelmontana.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1204 2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3444 wrote to memory of 1204 3444 2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe 81 PID 3444 wrote to memory of 1204 3444 2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe 81 PID 3444 wrote to memory of 1204 3444 2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe 81 PID 2424 wrote to memory of 2160 2424 channelmontana.exe 85 PID 2424 wrote to memory of 2160 2424 channelmontana.exe 85 PID 2424 wrote to memory of 2160 2424 channelmontana.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1204
-
-
C:\Windows\SysWOW64\channelmontana.exe"C:\Windows\SysWOW64\channelmontana.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\channelmontana.exe"C:\Windows\SysWOW64\channelmontana.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2160
-