Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 05:20
Behavioral task
behavioral1
Sample
58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe
-
Size
993KB
-
MD5
58be834ed5fc94a3cf22582fbacd3b74
-
SHA1
9a25679d6e688a75146427d64943732d696bc27a
-
SHA256
12aa4dd205e8d1c639d73aa0874372a8ef68fc990cdcc037906ef19f0da6b0de
-
SHA512
94c72a35651b59ff3cf6dc0335565d5e9bdb2f35d539a1fb397564e93d78698f4ddcef59b11387420f8445318a3f1063eefaa402bfdd2074320964200d5bbf7d
-
SSDEEP
24576:4MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxT:dJ5gEKNikf3hBfUiWxT
Malware Config
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 1 IoCs
resource yara_rule behavioral2/files/0x000800000002341c-7.dat family_ammyyadmin -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3756 budha.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1224 wrote to memory of 3756 1224 58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe 83 PID 1224 wrote to memory of 3756 1224 58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe 83 PID 1224 wrote to memory of 3756 1224 58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\58be834ed5fc94a3cf22582fbacd3b74_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
PID:3756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
994KB
MD56305e40941af9883060505d680ebfa07
SHA1d2b3b83e934d1d5442dd211f05972970555fea96
SHA2566466fdeb6b27aa3f662731da94e7de1beb53e7b11775a1ad586d7333862c487f
SHA512483c42529ed87c86adecfe1ba4ab1390dbbe22cfaa046b20f201125f3a7513b4a45b8986962b91657006d1fbb739246eae8d9d3cfe56bd90de102ccca45a7007