Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 19:13
Behavioral task
behavioral1
Sample
3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe
-
Size
128KB
-
MD5
3ba897d0c17ee90debaec62b17bb323d
-
SHA1
eaf8e697d1554984e1ba2a9e49046a77f6dc8c46
-
SHA256
b683ccee257c2edb5dada7ca00e936cfbb7a81e006719afc5c91778188d349e5
-
SHA512
ad552034772f7970c4cc85fcf7b516b281c45630e2ed6e1295fb98479d0a783096ee1df1c164006a20c823f64909e438d23199bc4ea1043dc39f9ce305296937
-
SSDEEP
3072:n9mQrWSB/WM+dCB+IF1G6911I0EDAUQ+iU2r2:n9USBOMNBNF1Hy0EDAUQ+iU2r2
Malware Config
Extracted
gootkit
8888
sslsecurehost.com
securessl256.com
-
vendor_id
8888
Signatures
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe 3696 mstsc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3844 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3844 wrote to memory of 3696 3844 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 84 PID 3844 wrote to memory of 3696 3844 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 84 PID 3844 wrote to memory of 3696 3844 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 84 PID 3844 wrote to memory of 3696 3844 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 84 PID 3844 wrote to memory of 3696 3844 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 84 PID 3844 wrote to memory of 3696 3844 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 84 PID 3844 wrote to memory of 3696 3844 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 84 PID 3844 wrote to memory of 3696 3844 3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe 84 PID 3696 wrote to memory of 2796 3696 mstsc.exe 85 PID 3696 wrote to memory of 2796 3696 mstsc.exe 85 PID 3696 wrote to memory of 2796 3696 mstsc.exe 85 PID 2796 wrote to memory of 1500 2796 cmd.exe 87 PID 2796 wrote to memory of 1500 2796 cmd.exe 87 PID 2796 wrote to memory of 1500 2796 cmd.exe 87 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1500 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\mstsc.exeC:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240598546.bat" "C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe""3⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\3ba897d0c17ee90debaec62b17bb323d_JaffaCakes118.exe"4⤵
- Views/modifies file attributes
PID:1500
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD5b1954605b3e329f6dfc8a3fa8c46227e
SHA11ec20a1a6485465ac4e04e96180cf6bd202aebb3
SHA256bbbc538ab412e7a6a9ac3a2b20b5186dba4b530536c4928e04a23e5001996146
SHA512ff73965b00ccf5fb4f09582820bae0486599d21ccb8eaff9a043f2694f5cb6b4632835defa61ed1c8b58047758373278c2528af1e7f197ea8c651cfacccd2feb