Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 12:20
Static task
static1
Behavioral task
behavioral1
Sample
54b113a41ad2126cb2117b6a3e789cb2_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
54b113a41ad2126cb2117b6a3e789cb2_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
54b113a41ad2126cb2117b6a3e789cb2_JaffaCakes118.exe
-
Size
214KB
-
MD5
54b113a41ad2126cb2117b6a3e789cb2
-
SHA1
18199911c5c006a2d3598d8c85750133a5eb0f37
-
SHA256
975f8a47bc86b60a12efccc60a2bb2f8e02bbb6cec78d918f26df82114870ca8
-
SHA512
009c65f9e721c3f9f6e2fc7431a482b48e5f30edd796341899cfd3d2e565a9ce32213a02e4a15f79127d9349e328d488a8a553fcc215df5de30c2ed1969d9070
-
SSDEEP
3072:sjdh27K4tfd81LgfoKO8DLxnYDgbACrs:snYFtdQ0nlhnDbFr
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\A3064798 = "C:\\Users\\Admin\\AppData\\Roaming\\A3064798\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe 2476 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2476 winver.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
54b113a41ad2126cb2117b6a3e789cb2_JaffaCakes118.exewinver.exedescription pid process target process PID 2172 wrote to memory of 2476 2172 54b113a41ad2126cb2117b6a3e789cb2_JaffaCakes118.exe winver.exe PID 2172 wrote to memory of 2476 2172 54b113a41ad2126cb2117b6a3e789cb2_JaffaCakes118.exe winver.exe PID 2172 wrote to memory of 2476 2172 54b113a41ad2126cb2117b6a3e789cb2_JaffaCakes118.exe winver.exe PID 2172 wrote to memory of 2476 2172 54b113a41ad2126cb2117b6a3e789cb2_JaffaCakes118.exe winver.exe PID 2172 wrote to memory of 2476 2172 54b113a41ad2126cb2117b6a3e789cb2_JaffaCakes118.exe winver.exe PID 2476 wrote to memory of 1284 2476 winver.exe Explorer.EXE PID 2476 wrote to memory of 1124 2476 winver.exe taskhost.exe PID 2476 wrote to memory of 1228 2476 winver.exe Dwm.exe PID 2476 wrote to memory of 1284 2476 winver.exe Explorer.EXE PID 2476 wrote to memory of 1096 2476 winver.exe DllHost.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\54b113a41ad2126cb2117b6a3e789cb2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\54b113a41ad2126cb2117b6a3e789cb2_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1096-28-0x0000000000100000-0x0000000000107000-memory.dmpFilesize
28KB
-
memory/1096-29-0x0000000077BB1000-0x0000000077BB2000-memory.dmpFilesize
4KB
-
memory/1096-23-0x0000000000100000-0x0000000000107000-memory.dmpFilesize
28KB
-
memory/1124-25-0x0000000077BB1000-0x0000000077BB2000-memory.dmpFilesize
4KB
-
memory/1124-24-0x0000000000410000-0x0000000000417000-memory.dmpFilesize
28KB
-
memory/1124-14-0x0000000000410000-0x0000000000417000-memory.dmpFilesize
28KB
-
memory/1228-26-0x0000000000120000-0x0000000000127000-memory.dmpFilesize
28KB
-
memory/1228-17-0x0000000000120000-0x0000000000127000-memory.dmpFilesize
28KB
-
memory/1284-7-0x00000000025D0000-0x00000000025D7000-memory.dmpFilesize
28KB
-
memory/1284-10-0x0000000077BB1000-0x0000000077BB2000-memory.dmpFilesize
4KB
-
memory/1284-20-0x00000000025E0000-0x00000000025E7000-memory.dmpFilesize
28KB
-
memory/1284-4-0x00000000025D0000-0x00000000025D7000-memory.dmpFilesize
28KB
-
memory/1284-3-0x00000000025D0000-0x00000000025D7000-memory.dmpFilesize
28KB
-
memory/1284-27-0x00000000025E0000-0x00000000025E7000-memory.dmpFilesize
28KB
-
memory/2172-0-0x00000000002B0000-0x00000000002C2000-memory.dmpFilesize
72KB
-
memory/2172-2-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2172-1-0x0000000000401000-0x0000000000405000-memory.dmpFilesize
16KB
-
memory/2476-5-0x0000000000100000-0x0000000000107000-memory.dmpFilesize
28KB
-
memory/2476-11-0x0000000077B60000-0x0000000077D09000-memory.dmpFilesize
1.7MB
-
memory/2476-9-0x00000000004E0000-0x00000000004F6000-memory.dmpFilesize
88KB
-
memory/2476-8-0x00000000004E1000-0x00000000004E2000-memory.dmpFilesize
4KB