Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 14:23
Static task
static1
Behavioral task
behavioral1
Sample
4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
4ff87ad46311de76229dc57a1c3b72ee
-
SHA1
51cb03f06b8f5485842a192f137f4b746d87f7e4
-
SHA256
f614e6f10dcbfd97cf6d33ce9c480a96e38b8bea4245067e7e2ef2d0b0cfcc8d
-
SHA512
7631ea53673ee9d0475905152e1fa4ec29a36df234e5943f21f55e752098715f3ddfac6c8fb72640df9e34ba7c4699a542a60db59db548f324e67203cac0bb8c
-
SSDEEP
24576:O4qMHwL06i5ZTx3hucuuCN4HwgqOPqKy7vJydBWNe/ISImkz:NZxucudHgQKKvGBWWk
Malware Config
Signatures
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exepid process 1632 4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1632 4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exedescription pid process target process PID 1632 wrote to memory of 1556 1632 4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe 4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe PID 1632 wrote to memory of 1556 1632 4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe 4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe PID 1632 wrote to memory of 1556 1632 4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe 4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe PID 1632 wrote to memory of 1556 1632 4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe 4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe"1⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4ff87ad46311de76229dc57a1c3b72ee_JaffaCakes118.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1632-0-0x0000000074AC1000-0x0000000074AC2000-memory.dmpFilesize
4KB
-
memory/1632-1-0x0000000074AC0000-0x000000007506B000-memory.dmpFilesize
5.7MB
-
memory/1632-2-0x0000000074AC0000-0x000000007506B000-memory.dmpFilesize
5.7MB
-
memory/1632-3-0x0000000074AC0000-0x000000007506B000-memory.dmpFilesize
5.7MB
-
memory/1632-4-0x0000000074AC0000-0x000000007506B000-memory.dmpFilesize
5.7MB
-
memory/1632-6-0x0000000074AC0000-0x000000007506B000-memory.dmpFilesize
5.7MB
-
memory/1632-7-0x0000000004680000-0x0000000004683000-memory.dmpFilesize
12KB
-
memory/1632-9-0x0000000074AC0000-0x000000007506B000-memory.dmpFilesize
5.7MB
-
memory/1632-10-0x0000000074AC0000-0x000000007506B000-memory.dmpFilesize
5.7MB
-
memory/1632-11-0x0000000074AC0000-0x000000007506B000-memory.dmpFilesize
5.7MB