Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 18:09
Behavioral task
behavioral1
Sample
3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe
-
Size
768KB
-
MD5
3b69f9251541d2ec23ca85c913d3680e
-
SHA1
edb3c5a5acf0cd22546a60de111497833917cff6
-
SHA256
1fce98b97b44385c9d6d685781ca3bfe7b0afc666305db3546d83eaac73e5f28
-
SHA512
e2c775ea9c7b6e5010bd9c1a122cd26b285dba65451a0507e4e90bc130588c0cb783bcc780fda8d72351acc17966cb0b13dae774c7856b36d4bf64944d679c50
-
SSDEEP
12288:XXe1Z2fJipMHEgSeA6M7kmchJGvRuORtcE9qTpy+Yg0HkV+dgI:HtkmHEgSewkmchJGsORtn9qT8+Yg03eI
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exepid process 1964 3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exedescription pid process target process PID 2116 wrote to memory of 1964 2116 3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe 3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe PID 2116 wrote to memory of 1964 2116 3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe 3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe PID 2116 wrote to memory of 1964 2116 3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe 3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe PID 2116 wrote to memory of 1964 2116 3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe 3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe"1⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3b69f9251541d2ec23ca85c913d3680e_JaffaCakes118.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1964
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
316B
MD5fa1d93786decbf5548a774fc29dfbf90
SHA1427fc450342fd8313b39435a13a6fbceed54b2c3
SHA256e14690ac32f466641a675e4814aae977b6cae8f6c5d18a07e9764cf37ca2f6e4
SHA5123ee27dd032163ab79749b12697e380366dcb43150443a9cac9a0bfa6440255c22fabaa940d1d425e9194d327e96ff5b97fe7354f1593157d4475e1b035a7310b