Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 04:53
Static task
static1
Behavioral task
behavioral1
Sample
28615260996f2ee3bf717734f6714014_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
28615260996f2ee3bf717734f6714014_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
28615260996f2ee3bf717734f6714014_JaffaCakes118.exe
-
Size
344KB
-
MD5
28615260996f2ee3bf717734f6714014
-
SHA1
4d974c30ad0b91bbb81a3f4684d4c8216b602608
-
SHA256
b312190adff333d7172e87d01dbb298ad7dbac987a6ad489fca561366161ee98
-
SHA512
af93cc53e0b2299c63247e44c9ad25d065f23a7409657d40e2326f578c10022f58bc2344574c85caad1bfdf3fce65ac18742726b1ed0983a91898a2d30ee75af
-
SSDEEP
3072:9iyYjwU1EjxKqX3Q+V1r851fKI9kG5yl+9nyiPPkD2Io9McfOOgPSCzHi8eklllL:jYrqXn1r8fK+/k+9nvki1Bj4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2468 Rem5.exe -
Loads dropped DLL 2 IoCs
pid Process 2712 cmd.exe 2712 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\LKJhgtYGS = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rem5\\Rem5.exe\"" 28615260996f2ee3bf717734f6714014_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\LKJhgtYGS = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rem5\\Rem5.exe\"" Rem5.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2468 set thread context of 2628 2468 Rem5.exe 32 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\win.ini 28615260996f2ee3bf717734f6714014_JaffaCakes118.exe File opened for modification C:\Windows\win.ini Rem5.exe File opened for modification C:\Windows\win.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2432 28615260996f2ee3bf717734f6714014_JaffaCakes118.exe 2468 Rem5.exe 2468 Rem5.exe 2628 svchost.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2300 2432 28615260996f2ee3bf717734f6714014_JaffaCakes118.exe 28 PID 2432 wrote to memory of 2300 2432 28615260996f2ee3bf717734f6714014_JaffaCakes118.exe 28 PID 2432 wrote to memory of 2300 2432 28615260996f2ee3bf717734f6714014_JaffaCakes118.exe 28 PID 2432 wrote to memory of 2300 2432 28615260996f2ee3bf717734f6714014_JaffaCakes118.exe 28 PID 2300 wrote to memory of 2712 2300 WScript.exe 29 PID 2300 wrote to memory of 2712 2300 WScript.exe 29 PID 2300 wrote to memory of 2712 2300 WScript.exe 29 PID 2300 wrote to memory of 2712 2300 WScript.exe 29 PID 2712 wrote to memory of 2468 2712 cmd.exe 31 PID 2712 wrote to memory of 2468 2712 cmd.exe 31 PID 2712 wrote to memory of 2468 2712 cmd.exe 31 PID 2712 wrote to memory of 2468 2712 cmd.exe 31 PID 2468 wrote to memory of 2628 2468 Rem5.exe 32 PID 2468 wrote to memory of 2628 2468 Rem5.exe 32 PID 2468 wrote to memory of 2628 2468 Rem5.exe 32 PID 2468 wrote to memory of 2628 2468 Rem5.exe 32 PID 2468 wrote to memory of 2628 2468 Rem5.exe 32 PID 2468 wrote to memory of 2628 2468 Rem5.exe 32 PID 2468 wrote to memory of 2628 2468 Rem5.exe 32 PID 2468 wrote to memory of 2628 2468 Rem5.exe 32 PID 2468 wrote to memory of 2628 2468 Rem5.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\28615260996f2ee3bf717734f6714014_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\28615260996f2ee3bf717734f6714014_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Rem5\Rem5.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Roaming\Rem5\Rem5.exeC:\Users\Admin\AppData\Roaming\Rem5\Rem5.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe5⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2628
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
410B
MD54b309959125fb954b68968bad5bed9ac
SHA1b2b805fa81f1b82fa07b718031c9a89046731146
SHA256109742373d7cca30b46ef4b05d9b86694e2a54f862afd891e7bba50cf0f18830
SHA5129d90d6f5085ac7103aee6679272b677589afe3a50835152f3c1f799080e38b975f3c246d6649926a80a7ee3bbcabf755d6a20cf768083714a359bc9a5af9cf92
-
Filesize
344KB
MD528615260996f2ee3bf717734f6714014
SHA14d974c30ad0b91bbb81a3f4684d4c8216b602608
SHA256b312190adff333d7172e87d01dbb298ad7dbac987a6ad489fca561366161ee98
SHA512af93cc53e0b2299c63247e44c9ad25d065f23a7409657d40e2326f578c10022f58bc2344574c85caad1bfdf3fce65ac18742726b1ed0983a91898a2d30ee75af
-
Filesize
79B
MD592f856c65b267b7d3aad33c26fb0d690
SHA1eb1bb43829613f9013af46793784c67d4a8faad1
SHA2569cbcaa5d0bf91bdb48c540d45cd5d3c257f3ec56de6f40b01c8ed5d19b73ddf9
SHA512384bee97278cbd1f19717a1eb35b32c73b8ae34f4746c1782330c3328c5eea7d9cfb55051856c997cb55e7853e1050c8363c334d9dee127eaf2453775ddaac40
-
Filesize
506B
MD58e6100faa270f8b935ebba91ae814491
SHA11b5d16ec7d3f2ed289fc4c079fed992275578257
SHA256293b109535400cdd3eb36c8a47dcdda245e8f48200aa59bfddb21d105923e93b
SHA51278b36ef3fd77d991d7ef9aa4f900f653edb1df5ab6ddbc369e0b3b3430fba9074673bf67d208cbb885b41afd3a9cd26ae9c2b392c70df7d08f055a41318469e7