Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 19:16
Static task
static1
Behavioral task
behavioral1
Sample
4ca7ac73dfacae3c6f0db5931eff68fb_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4ca7ac73dfacae3c6f0db5931eff68fb_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
4ca7ac73dfacae3c6f0db5931eff68fb_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
4ca7ac73dfacae3c6f0db5931eff68fb
-
SHA1
9357405c2cbd1fdbb6198fca4e03482f020548d7
-
SHA256
7b3e64f9ed746455192821a9447db2deee992f054b676584922c1b86da387b33
-
SHA512
f194dc12da58f74ec6b621a7f783c8e9b626794028fc53aea793cc35ea3a470e01ea3c521e81eb07707d3c064c7becd6a41d4e3f7c5bcc4bbe895eea02e711f2
-
SSDEEP
24576:d1Er4Mgtw+dpA/nB1fgW12wYkOPo+GZ9jGOE0z7nT9mVZfERa/QY:a4O+d+/HgWo17PzGLywZmERa4Y
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2340 _nch_setup.exe 2532 nchsetup.exe -
Loads dropped DLL 5 IoCs
pid Process 2012 4ca7ac73dfacae3c6f0db5931eff68fb_JaffaCakes118.exe 2340 _nch_setup.exe 2340 _nch_setup.exe 2340 _nch_setup.exe 2340 _nch_setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2532 nchsetup.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2340 2012 4ca7ac73dfacae3c6f0db5931eff68fb_JaffaCakes118.exe 28 PID 2012 wrote to memory of 2340 2012 4ca7ac73dfacae3c6f0db5931eff68fb_JaffaCakes118.exe 28 PID 2012 wrote to memory of 2340 2012 4ca7ac73dfacae3c6f0db5931eff68fb_JaffaCakes118.exe 28 PID 2012 wrote to memory of 2340 2012 4ca7ac73dfacae3c6f0db5931eff68fb_JaffaCakes118.exe 28 PID 2012 wrote to memory of 2340 2012 4ca7ac73dfacae3c6f0db5931eff68fb_JaffaCakes118.exe 28 PID 2012 wrote to memory of 2340 2012 4ca7ac73dfacae3c6f0db5931eff68fb_JaffaCakes118.exe 28 PID 2012 wrote to memory of 2340 2012 4ca7ac73dfacae3c6f0db5931eff68fb_JaffaCakes118.exe 28 PID 2340 wrote to memory of 2532 2340 _nch_setup.exe 29 PID 2340 wrote to memory of 2532 2340 _nch_setup.exe 29 PID 2340 wrote to memory of 2532 2340 _nch_setup.exe 29 PID 2340 wrote to memory of 2532 2340 _nch_setup.exe 29 PID 2340 wrote to memory of 2532 2340 _nch_setup.exe 29 PID 2340 wrote to memory of 2532 2340 _nch_setup.exe 29 PID 2340 wrote to memory of 2532 2340 _nch_setup.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ca7ac73dfacae3c6f0db5931eff68fb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4ca7ac73dfacae3c6f0db5931eff68fb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\_nch_setup.exe"C:\Users\Admin\AppData\Local\Temp\_nch_setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe"C:\Users\Admin\AppData\Local\Temp\n1s\nchsetup.exe" -installer "C:\Users\Admin\AppData\Local\Temp\_nch_setup.exe" -instdata "C:\Users\Admin\AppData\Local\Temp\n1s\nchdata.dat"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2532
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD580ea95bac37f410278fd129546461638
SHA1b25a1df5fc239a4ddf1cf2407bdba1f3e16fb857
SHA256b49b87b69ad585ad29f2439b24ca46d1f84764a0ae17bbaaed9a273e6b3112c9
SHA5122a5b55a5de1957874e45819f41e06b8885868ba8638fe882bdfcb498e3e44b260a6c097fc2f4083d370d54a40643f2c7b50d3469e99ed3fcab18dfdce6be5c3e
-
Filesize
1.3MB
MD59a80ac8c3e2915131f4a9d4a08abc01a
SHA1959750376e72ac8a17193b052f8f437fd2fef758
SHA25696e8588dca3b6d2feddc5005c991bac249ee657785c5e05d8848acfe2fe73046
SHA51211fe6815f4d5bcddf330d1f29832d2a817ae759ae10397578583f9cb77805bc45fa1c66c79abcb9000013b47e3a089f0dbf18019ddf454c38b99aa160659f046