Analysis
-
max time kernel
139s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 03:47
Behavioral task
behavioral1
Sample
61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe
-
Size
152KB
-
MD5
61ee3ec38bee1aff69a3fc4c568b42a8
-
SHA1
94798cd58c4b720d390afdde9518f8429e86e5d3
-
SHA256
9736a79308b004889cde2fcd8d6912964ca67075c126c049378b438dcee77c83
-
SHA512
604d1cb9e919c7a5158b345ae02c247dc3790dbe3e2a3824debf2e96e2e9ec8973414e0dee01d029fd49f084edea9054c83a917bf41fd5211557a749d18267ce
-
SSDEEP
3072:C9mQrWSB/WM+dCB+IF1G6sT11I0EDAUQ+iU2r2dwat3v:C9USBOMNBNF1cxy0EDAUQ+iU2r2Gev
Malware Config
Extracted
gootkit
8888
sslsecurehost.com
securessl256.com
-
vendor_id
8888
Signatures
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe 3612 mstsc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2736 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2736 wrote to memory of 3612 2736 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 90 PID 2736 wrote to memory of 3612 2736 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 90 PID 2736 wrote to memory of 3612 2736 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 90 PID 2736 wrote to memory of 3612 2736 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 90 PID 2736 wrote to memory of 3612 2736 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 90 PID 2736 wrote to memory of 3612 2736 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 90 PID 2736 wrote to memory of 3612 2736 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 90 PID 2736 wrote to memory of 3612 2736 61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe 90 PID 3612 wrote to memory of 1656 3612 mstsc.exe 91 PID 3612 wrote to memory of 1656 3612 mstsc.exe 91 PID 3612 wrote to memory of 1656 3612 mstsc.exe 91 PID 1656 wrote to memory of 4528 1656 cmd.exe 93 PID 1656 wrote to memory of 4528 1656 cmd.exe 93 PID 1656 wrote to memory of 4528 1656 cmd.exe 93 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4528 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\mstsc.exeC:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240639781.bat" "C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe""3⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\61ee3ec38bee1aff69a3fc4c568b42a8_JaffaCakes118.exe"4⤵
- Views/modifies file attributes
PID:4528
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4224,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:81⤵PID:3560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD53d476d0b80a894739aac24b32fd5fc48
SHA1a52d20a5fbc7478be965f01e9888488ec81ef1fc
SHA256a3069159d3a85fa4dc2d5b128494012be5014b6220a269f03d9454c91e694753
SHA512e34578eaf8111b73161add3305cd63e45181ef4d809cd53f317c70fe32d0813d4b9d2d2db709cea9edefd0f371519cc41e194a025cdd6f8084b9112553b93eb7