Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 03:47
Behavioral task
behavioral1
Sample
61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe
-
Size
152KB
-
MD5
61ee3ec38bee1aff69a3fc4c568b42a8
-
SHA1
94798cd58c4b720d390afdde9518f8429e86e5d3
-
SHA256
9736a79308b004889cde2fcd8d6912964ca67075c126c049378b438dcee77c83
-
SHA512
604d1cb9e919c7a5158b345ae02c247dc3790dbe3e2a3824debf2e96e2e9ec8973414e0dee01d029fd49f084edea9054c83a917bf41fd5211557a749d18267ce
-
SSDEEP
3072:C9mQrWSB/WM+dCB+IF1G6sT11I0EDAUQ+iU2r2dwat3v:C9USBOMNBNF1cxy0EDAUQ+iU2r2Gev
Malware Config
Extracted
gootkit
8888
sslsecurehost.com
securessl256.com
-
vendor_id
8888
Signatures
-
Deletes itself 1 IoCs
pid Process 3044 cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe 3016 mstsc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2372 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2372 wrote to memory of 3016 2372 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 28 PID 2372 wrote to memory of 3016 2372 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 28 PID 2372 wrote to memory of 3016 2372 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 28 PID 2372 wrote to memory of 3016 2372 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 28 PID 2372 wrote to memory of 3016 2372 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 28 PID 2372 wrote to memory of 3016 2372 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 28 PID 2372 wrote to memory of 3016 2372 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 28 PID 2372 wrote to memory of 3016 2372 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 28 PID 2372 wrote to memory of 3016 2372 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 28 PID 3016 wrote to memory of 3044 3016 mstsc.exe 29 PID 3016 wrote to memory of 3044 3016 mstsc.exe 29 PID 3016 wrote to memory of 3044 3016 mstsc.exe 29 PID 3016 wrote to memory of 3044 3016 mstsc.exe 29 PID 3044 wrote to memory of 1136 3044 cmd.exe 31 PID 3044 wrote to memory of 1136 3044 cmd.exe 31 PID 3044 wrote to memory of 1136 3044 cmd.exe 31 PID 3044 wrote to memory of 1136 3044 cmd.exe 31 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1136 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\mstsc.exeC:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259402284.bat" "C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe""3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe"4⤵
- Views/modifies file attributes
PID:1136
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD5dd6ca08d9995ff089ecdd8f5d2056ab7
SHA126e42f8a43adcba4a3d761b569e90fb703c87f45
SHA256728b58d0e0ef18da5858b1e4c9aa74f8d38e41b94c3114b29dd6abc55d9af522
SHA512d2d22dd67614d533ca14481c7ac038444ef2127eb587eddcddeac34a6f2f450af9cc26267a483111d11e508a4fed2d043c5cf72fb9a56249b6699ad6556d0c4c