Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 23:23
Static task
static1
Behavioral task
behavioral1
Sample
507385b76cdd9b6eb66bd848d5f610e7JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
507385b76cdd9b6eb66bd848d5f610e7JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
507385b76cdd9b6eb66bd848d5f610e7JaffaCakes118.exe
-
Size
401KB
-
MD5
507385b76cdd9b6eb66bd848d5f610e7
-
SHA1
d42e38e87d70ea197415b25dbcb06c107b7d74b8
-
SHA256
d1b61efec101357e17ff70f1b7fb937fcea4a4c73ef24d77ed2a484315186c86
-
SHA512
311aeb502cbcf59beda5f033a9e85dfa1afb2a0d16c90e200c4c1d846ccb46ea5c3b0df69abfee6c2dacfc51ee43e566f8c1bab8a1680e5d8243b5d54dd9c7ff
-
SSDEEP
6144:aVmt78kc9NuzrYyyTZC9e2HyTkZtOiV64cYl5gR8O2VRrhZMYXPo3:aQJ8ZYyTZ92HyTpiV67bRiZvPM
Malware Config
Signatures
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1992-7-0x00000000009A0000-0x00000000009AA000-memory.dmp agile_net -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 800 1992 WerFault.exe 507385b76cdd9b6eb66bd848d5f610e7JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
507385b76cdd9b6eb66bd848d5f610e7JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1992 507385b76cdd9b6eb66bd848d5f610e7JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
507385b76cdd9b6eb66bd848d5f610e7JaffaCakes118.exedescription pid process target process PID 1992 wrote to memory of 800 1992 507385b76cdd9b6eb66bd848d5f610e7JaffaCakes118.exe WerFault.exe PID 1992 wrote to memory of 800 1992 507385b76cdd9b6eb66bd848d5f610e7JaffaCakes118.exe WerFault.exe PID 1992 wrote to memory of 800 1992 507385b76cdd9b6eb66bd848d5f610e7JaffaCakes118.exe WerFault.exe PID 1992 wrote to memory of 800 1992 507385b76cdd9b6eb66bd848d5f610e7JaffaCakes118.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\507385b76cdd9b6eb66bd848d5f610e7JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\507385b76cdd9b6eb66bd848d5f610e7JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 9322⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1992-0-0x000000007443E000-0x000000007443F000-memory.dmpFilesize
4KB
-
memory/1992-1-0x0000000000C20000-0x0000000000C8A000-memory.dmpFilesize
424KB
-
memory/1992-2-0x0000000000740000-0x0000000000770000-memory.dmpFilesize
192KB
-
memory/1992-3-0x0000000074430000-0x0000000074B1E000-memory.dmpFilesize
6.9MB
-
memory/1992-4-0x000000007443E000-0x000000007443F000-memory.dmpFilesize
4KB
-
memory/1992-5-0x0000000000510000-0x0000000000518000-memory.dmpFilesize
32KB
-
memory/1992-6-0x0000000000520000-0x000000000052E000-memory.dmpFilesize
56KB
-
memory/1992-7-0x00000000009A0000-0x00000000009AA000-memory.dmpFilesize
40KB
-
memory/1992-8-0x0000000074430000-0x0000000074B1E000-memory.dmpFilesize
6.9MB