Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 19:13
Behavioral task
behavioral1
Sample
3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe
-
Size
128KB
-
MD5
3ba897d0c17ee90debaec62b17bb323d
-
SHA1
eaf8e697d1554984e1ba2a9e49046a77f6dc8c46
-
SHA256
b683ccee257c2edb5dada7ca00e936cfbb7a81e006719afc5c91778188d349e5
-
SHA512
ad552034772f7970c4cc85fcf7b516b281c45630e2ed6e1295fb98479d0a783096ee1df1c164006a20c823f64909e438d23199bc4ea1043dc39f9ce305296937
-
SSDEEP
3072:n9mQrWSB/WM+dCB+IF1G6911I0EDAUQ+iU2r2:n9USBOMNBNF1Hy0EDAUQ+iU2r2
Malware Config
Extracted
gootkit
8888
sslsecurehost.com
securessl256.com
-
vendor_id
8888
Signatures
-
Deletes itself 1 IoCs
pid Process 2612 cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe 2344 mstsc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1612 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1612 wrote to memory of 2344 1612 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 28 PID 1612 wrote to memory of 2344 1612 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 28 PID 1612 wrote to memory of 2344 1612 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 28 PID 1612 wrote to memory of 2344 1612 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 28 PID 1612 wrote to memory of 2344 1612 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 28 PID 1612 wrote to memory of 2344 1612 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 28 PID 1612 wrote to memory of 2344 1612 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 28 PID 1612 wrote to memory of 2344 1612 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 28 PID 1612 wrote to memory of 2344 1612 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 28 PID 2344 wrote to memory of 2612 2344 mstsc.exe 29 PID 2344 wrote to memory of 2612 2344 mstsc.exe 29 PID 2344 wrote to memory of 2612 2344 mstsc.exe 29 PID 2344 wrote to memory of 2612 2344 mstsc.exe 29 PID 2612 wrote to memory of 2912 2612 cmd.exe 31 PID 2612 wrote to memory of 2912 2612 cmd.exe 31 PID 2612 wrote to memory of 2912 2612 cmd.exe 31 PID 2612 wrote to memory of 2912 2612 cmd.exe 31 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2912 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\mstsc.exeC:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259429959.bat" "C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe""3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe"4⤵
- Views/modifies file attributes
PID:2912
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD5920a46297210fc91a9d5ab079b91b787
SHA1d22e32340fe97ee7ca57dcaa64b8df7b02a646da
SHA256397ecd3b137b84cb61a758a1ec9b14130b1fd07c404910635545fd7c9c0dd9d8
SHA512a273089dab748741f2029b4baca28ae969b9b148a91fbc5b2945c8288009a8c76dfa831e05bfc278a5b3df1804060c8770496202849e853d5772517ab4b0c5dc