Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 09:42
Static task
static1
Behavioral task
behavioral1
Sample
33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$_3_.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$_3_.exe
Resource
win10v2004-20240508-en
General
-
Target
33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe
-
Size
762KB
-
MD5
33f2ea12e7c2a0617631cd2c06213c43
-
SHA1
5dd1e34134293ea1b2c19a274a846637430b322f
-
SHA256
b584e51d2963e09d6131b4478278aae81f8671eab799780a03a85b37b0546844
-
SHA512
252d4d9276c6c6ed8ff6a8865ba55775c73e10e87579221b5cabe63e313a1307f0a896073ee28902953894c557fe2d1487e4fa2879f84c3273ce1d161ecdbf37
-
SSDEEP
12288:2tobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnV:2tDltItNW7pjDlpt5XY/2TkXKza/29h
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1724 internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 328 33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1756 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1724 internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1724 internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe 1724 internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe 1724 internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 328 wrote to memory of 1724 328 33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe 28 PID 328 wrote to memory of 1724 328 33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe 28 PID 328 wrote to memory of 1724 328 33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe 28 PID 328 wrote to memory of 1724 328 33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe 28 PID 328 wrote to memory of 1724 328 33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe 28 PID 328 wrote to memory of 1724 328 33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe 28 PID 328 wrote to memory of 1724 328 33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe 28 PID 1724 wrote to memory of 2956 1724 internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2956 1724 internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2956 1724 internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe 31 PID 1724 wrote to memory of 2956 1724 internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe 31 PID 2956 wrote to memory of 1756 2956 cmd.exe 33 PID 2956 wrote to memory of 1756 2956 cmd.exe 33 PID 2956 wrote to memory of 1756 2956 cmd.exe 33 PID 2956 wrote to memory of 1756 2956 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Users\Admin\AppData\Local\Temp\nsi23B8.tmp\internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\nsi23B8.tmp\internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsi23B8.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsi23B8.tmp/fallbackfiles/'2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\15914.bat" "C:\Users\Admin\AppData\Local\Temp\CA5D164E7193415E8EDEE8C186D98B16\""3⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10004⤵
- Runs ping.exe
PID:1756
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
544B
MD56104e9d6b3dfcffb93069c8fd1ef437a
SHA1e5be5c6c61375af25ac0215874c4abe342b51f00
SHA2564d06bc7a74948853b949530b7ab2181394addaaeb356497f4649dc094e44b9cd
SHA5121857ee1c92938fc042e325c854c9161531e6065236f6de74fa07c2897d388315bbc6c4c43597585055e10529242818e87461ecaf2f308f01166b88080a217c8e
-
Filesize
544B
MD530544cf77c492e59318fa3f0cee57027
SHA1cce28938b91c7ed61085e16ae419dfe5fa478a84
SHA2563978df6031eae493e679c5de8ab4662f80f239d5faed27659c174ae56b7140cf
SHA5126614419f64fadf811cea3fc81142e0407b5a93ce0bbdefff2b4edf3c06cc12d9fa694d98d69de8a9a3cdcdb630320167da99e32245e1431e007e47d50561f4aa
-
Filesize
212B
MD5668767f1e0c7ff2b3960447e259e9f00
SHA132d8abf834cce72f5e845175a0af2513b00504d8
SHA256cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680
-
C:\Users\Admin\AppData\Local\Temp\CA5D164E7193415E8EDEE8C186D98B16\CA5D164E7193415E8EDEE8C186D98B16_LogFile.txt
Filesize2KB
MD5d26c116d8a85fde6a22eb9e23c3af6ba
SHA18dd773e6bf89b2dbe53e202f2cb1dbc3ecbc5939
SHA25632a6cedb3140be21aa8e33958e03ea35f9565907ace1dc02694a51dfc195196c
SHA512e138d6ae551aaa8b2cacde2470f13c2c2309430c1b3f5c1f1bb7edb63fa6e1dab630cbb6b55b8f5ce075e5bbc7a508e7e97cd86d019d1ce1a5c9e01917555a11
-
C:\Users\Admin\AppData\Local\Temp\CA5D164E7193415E8EDEE8C186D98B16\CA5D164E7193415E8EDEE8C186D98B16_LogFile.txt
Filesize3KB
MD5c53448b5c212258475e9754cc05b0088
SHA14e91e6b682896b77eb0e0799406c691f4280c9a7
SHA256043fac9970a53362c440721d77f43b7738f06639e370a9a64d6885307f33a2f7
SHA51268e584285dcdff1ed6b0481e4dc61dff9ac4c9e45888f247e0cb583041719c0a406987424a02e23c22eec58cd9658d4fb6980093f64d4e54da82c2dc386432ad
-
C:\Users\Admin\AppData\Local\Temp\CA5D164E7193415E8EDEE8C186D98B16\CA5D164E7193415E8EDEE8C186D98B16_LogFile.txt
Filesize5KB
MD5865bb0d5ae2ce22b3c380ea3174e7955
SHA17da95b83f938c36e5746d7646161f9399ec003aa
SHA256ca3f576a6c44c722261be95ffdc00301454c620ccbe0a84c2e9c7b23198cb086
SHA512d1e16f06396236b48cb7057189f40bcf88d924fdc28d57702c1dcc61c9265c939de646d5b739ba6ee816c0cfcb22b642f8e7bd4542796cb05430fc02e38a8d00
-
Filesize
28KB
MD5c4a4cf5ebefb1c63f6f60fb91eb1506d
SHA1c94c07a6607b3c1ecdacef2ac506827e0ce4a971
SHA256803776ff232c316988077de04f7e9b11d89b77413dcac05cc2775582d49df894
SHA512efe10460f0e2f9fa73b333dcb794dcd16110a880fa7f6d0853aa09deb336301f4c821a8ff6e63fc1368d8d7529d6f227f9121d5ad8a38c9fba7f0087248f2d8f
-
C:\Users\Admin\AppData\Local\Temp\nsi23B8.tmp\internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118_icon.ico
Filesize31KB
MD51f047e870359e4ef7097acefe2043f20
SHA182ab7362f9c066473b2643e6cd4201ccbf0bb586
SHA256f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e
SHA512e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286
-
C:\Users\Admin\AppData\Local\Temp\nsi23B8.tmp\internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118_splash.png
Filesize65KB
MD5ef1514e5d2bcf830b39858f0736d7de7
SHA1832214b62cb3e56f858a876fc3f09cb3c3324cbb
SHA256c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1
SHA512cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d
-
\Users\Admin\AppData\Local\Temp\nsi23B8.tmp\internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe
Filesize1.7MB
MD5d4c16982f8a834bc0f8028b45c3ae543
SHA19d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c