Analysis
-
max time kernel
146s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
314162b42775491f40e45f230a66a951_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
314162b42775491f40e45f230a66a951_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
314162b42775491f40e45f230a66a951
-
SHA1
8b69e81360caa7c644ff9d646ce707614d57f14b
-
SHA256
494e74c88fed50337a524e4e3c395fbf0cf1443691ef9ba11d22199c72add384
-
SHA512
a33fe3f575c3d53f735a1ac30fdb2249d6ebb0df9828a495f34d28804a4932c3d4c75188ca478acb885d87137b2dbddb6b75b1fc66206d613f7fd7b5f91b6d71
-
SSDEEP
24576:w8IX/6BvJQOsb7DW9d9597vmQnbWPRqprGYRfVP2XvZ:qXShJQOsHS9d9597vmQnKpqpr/3P2/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
AdobeReader.exepid Process 2724 AdobeReader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
314162b42775491f40e45f230a66a951_JaffaCakes118.exeAdobeReader.exepid Process 1148 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 1148 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 2724 AdobeReader.exe 2724 AdobeReader.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
314162b42775491f40e45f230a66a951_JaffaCakes118.exeAdobeReader.exepid Process 1148 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 1148 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 2724 AdobeReader.exe 2724 AdobeReader.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
314162b42775491f40e45f230a66a951_JaffaCakes118.exeAdobeReader.exepid Process 1148 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 2724 AdobeReader.exe 2724 AdobeReader.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
AdobeReader.exepid Process 2724 AdobeReader.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
314162b42775491f40e45f230a66a951_JaffaCakes118.exetaskeng.exedescription pid Process procid_target PID 1148 wrote to memory of 1708 1148 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 28 PID 1148 wrote to memory of 1708 1148 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 28 PID 1148 wrote to memory of 1708 1148 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 28 PID 1148 wrote to memory of 1708 1148 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 28 PID 1148 wrote to memory of 1544 1148 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 30 PID 1148 wrote to memory of 1544 1148 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 30 PID 1148 wrote to memory of 1544 1148 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 30 PID 1148 wrote to memory of 1544 1148 314162b42775491f40e45f230a66a951_JaffaCakes118.exe 30 PID 2644 wrote to memory of 2724 2644 taskeng.exe 33 PID 2644 wrote to memory of 2724 2644 taskeng.exe 33 PID 2644 wrote to memory of 2724 2644 taskeng.exe 33 PID 2644 wrote to memory of 2724 2644 taskeng.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\314162b42775491f40e45f230a66a951_JaffaCakes118.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "AdobeReader" /TR "\"C:\ProgramData\AdobeReader.exe\""2⤵
- Creates scheduled task(s)
PID:1708
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /run /tn "AdobeReader"2⤵PID:1544
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E1B534F9-C63A-47FE-A3F4-4FE4FBE5F329} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\ProgramData\AdobeReader.exeC:\ProgramData\AdobeReader.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:2724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5a943181e6d69c99c1428d7a4b2474b7d
SHA1e47deac6de97b97aa7298e80d426fefd777ea5cd
SHA25673f7a66e9f030f01b9171a8e0776320de453043ce0bd47bb9c53c79d5473849f
SHA5125a1470e35295d2906e8b4e9f67ee754a3874375fa58c8ddf1a464758c2936dade45f56bac94d89037ee499554646d69c59924bf49e4d43af3fc14fad33326af0
-
Filesize
79B
MD5d5d1ecca3c017616b424cd03876ad92b
SHA1b5ec611d43c6130ca457c93e4b2e0fdc12d4ad22
SHA256f9f554cac5faddf711a4bda33f6a383ba78e840939b5af654fce6a77ac39f3d7
SHA512f40e549d413d42e2de8afff22b9d1a79188b4575dd5ab00a83c43ec90feef6a22f4f6f5494ac1842bc0f40408083961c17d75913ed2c3e8ffe7949bb0a826e5c