Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/05/2024, 17:48
Static task
static1
Behavioral task
behavioral1
Sample
6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe
-
Size
10.0MB
-
MD5
6431b5da2c1026b2d8d33a1f7a417c60
-
SHA1
498c6e56c9efdfddfb69021dcf8b275a801c044f
-
SHA256
b59983894a4c71759a2af3a36f4a036163e7bc078ff8858ad219dccc2684cae0
-
SHA512
8751909a49a221e0093fc342545e9c90ac002cea1efaf883dfbb335762fd88a623dd6377f9bf37eddfe139f1190e5e5769f02963f11f432406f0c63602579014
-
SSDEEP
196608:FugUqSyFz9MxsRWjnp/4b6cJbRWSRCGHlD4N6aLnWXsCHEsjFsCZzy:EqSyLpQrVkJHxRCGF2j2sCQ
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1448 rundll.exe 1560 rundll.exe 2904 ss.exe -
Loads dropped DLL 17 IoCs
pid Process 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 1448 rundll.exe 1560 rundll.exe 1560 rundll.exe 1560 rundll.exe 1560 rundll.exe 1560 rundll.exe 1560 rundll.exe 1560 rundll.exe 1560 rundll.exe 1560 rundll.exe 1560 rundll.exe 2112 cmd.exe 2112 cmd.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0005000000019473-125.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 11 IoCs
pid Process 2548 taskkill.exe 2832 taskkill.exe 344 taskkill.exe 1400 taskkill.exe 1768 taskkill.exe 2888 taskkill.exe 2532 taskkill.exe 2436 taskkill.exe 1420 taskkill.exe 2692 taskkill.exe 2488 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2888 taskkill.exe Token: SeDebugPrivilege 2532 taskkill.exe Token: SeDebugPrivilege 2692 taskkill.exe Token: SeDebugPrivilege 2548 taskkill.exe Token: SeDebugPrivilege 2488 taskkill.exe Token: SeDebugPrivilege 2436 taskkill.exe Token: SeDebugPrivilege 2832 taskkill.exe Token: SeDebugPrivilege 344 taskkill.exe Token: SeDebugPrivilege 1420 taskkill.exe Token: SeDebugPrivilege 1400 taskkill.exe Token: SeDebugPrivilege 1768 taskkill.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2612 wrote to memory of 2888 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 28 PID 2612 wrote to memory of 2888 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 28 PID 2612 wrote to memory of 2888 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 28 PID 2612 wrote to memory of 2888 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 28 PID 2612 wrote to memory of 2532 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 31 PID 2612 wrote to memory of 2532 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 31 PID 2612 wrote to memory of 2532 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 31 PID 2612 wrote to memory of 2532 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 31 PID 2612 wrote to memory of 2692 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 33 PID 2612 wrote to memory of 2692 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 33 PID 2612 wrote to memory of 2692 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 33 PID 2612 wrote to memory of 2692 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 33 PID 2612 wrote to memory of 2548 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 35 PID 2612 wrote to memory of 2548 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 35 PID 2612 wrote to memory of 2548 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 35 PID 2612 wrote to memory of 2548 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 35 PID 2612 wrote to memory of 2488 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 37 PID 2612 wrote to memory of 2488 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 37 PID 2612 wrote to memory of 2488 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 37 PID 2612 wrote to memory of 2488 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 37 PID 2612 wrote to memory of 2436 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 39 PID 2612 wrote to memory of 2436 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 39 PID 2612 wrote to memory of 2436 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 39 PID 2612 wrote to memory of 2436 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 39 PID 2612 wrote to memory of 2832 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 41 PID 2612 wrote to memory of 2832 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 41 PID 2612 wrote to memory of 2832 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 41 PID 2612 wrote to memory of 2832 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 41 PID 2612 wrote to memory of 344 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 43 PID 2612 wrote to memory of 344 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 43 PID 2612 wrote to memory of 344 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 43 PID 2612 wrote to memory of 344 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 43 PID 2612 wrote to memory of 1420 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 45 PID 2612 wrote to memory of 1420 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 45 PID 2612 wrote to memory of 1420 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 45 PID 2612 wrote to memory of 1420 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 45 PID 2612 wrote to memory of 1400 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 47 PID 2612 wrote to memory of 1400 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 47 PID 2612 wrote to memory of 1400 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 47 PID 2612 wrote to memory of 1400 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 47 PID 2612 wrote to memory of 1768 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 49 PID 2612 wrote to memory of 1768 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 49 PID 2612 wrote to memory of 1768 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 49 PID 2612 wrote to memory of 1768 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 49 PID 2612 wrote to memory of 1448 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 51 PID 2612 wrote to memory of 1448 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 51 PID 2612 wrote to memory of 1448 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 51 PID 2612 wrote to memory of 1448 2612 6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe 51 PID 1448 wrote to memory of 1560 1448 rundll.exe 52 PID 1448 wrote to memory of 1560 1448 rundll.exe 52 PID 1448 wrote to memory of 1560 1448 rundll.exe 52 PID 1448 wrote to memory of 1560 1448 rundll.exe 52 PID 1560 wrote to memory of 2112 1560 rundll.exe 53 PID 1560 wrote to memory of 2112 1560 rundll.exe 53 PID 1560 wrote to memory of 2112 1560 rundll.exe 53 PID 1560 wrote to memory of 2112 1560 rundll.exe 53 PID 2112 wrote to memory of 2904 2112 cmd.exe 55 PID 2112 wrote to memory of 2904 2112 cmd.exe 55 PID 2112 wrote to memory of 2904 2112 cmd.exe 55 PID 2112 wrote to memory of 2904 2112 cmd.exe 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6431b5da2c1026b2d8d33a1f7a417c60_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM rundll.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM rundll.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM rundll.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM rundll.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM rundll.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ss.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ss.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ss.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:344
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM ss.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM Eternalblue-2.2.0.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM Doublepulsar-1.3.1.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "ss.exe TCP 10.127.0.127/14 445 200 /save"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exess.exe TCP 10.127.0.127/14 445 200 /save5⤵
- Executes dropped EXE
PID:2904
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174B
MD52856a910cf4a661e70a0330a998c9aaf
SHA14ae3b22d803c2437884b91707b2735f05d844f0b
SHA25690ce5006f1052397566a00c16726f2eb49520d7ea445323178d8a46ca2d41588
SHA512ac2bf6655ae57771cb2d9c43556dc91a6f1be871cdeca5535cb5ef83891b04bf79a0420631849ac938cb517a6c9ac93db4c026c879903a50e8a9e8771f7986fb
-
Filesize
2.5MB
MD5985cbbc088b7cd7039ab2fdef7df3b7b
SHA17d1c58122f6952671dd4368a231cd4eefc14f973
SHA25665a063a0b44746f382e9669563b29f4ae66b7bf3416c7fa5879a06b70ea9bb40
SHA5121f5acc2c57a9c0c4367a57499710f3f9516daa7711f61e4db7a86b9654e9faec84ab40c1fda44d777eeaee1a0f6017f257ce4df2109101b6bfa395ab35b36974
-
Filesize
1KB
MD5d64d2393217a9edb0b88cce264ac58d5
SHA1b6bee67b8acecbdfefc3469ece2e7c923738503f
SHA256640c93fdfd11ae88d39b79dd2d2a30070cea8a7bb68972c61ab820e5e5bce7e0
SHA512765ea81a77421b5c08d0dc7ab60405ac2482d9d45e466ef3a56203f47916548e5c5f84297275002b08e35254ed0c6dd7b9116c50a252c15d12796de3fe2fae16
-
Filesize
127KB
MD5ea1f67ca4005dea3a9a9a831bada6fcc
SHA1d568b9d8d98fbeb8ef41a742e4f2787178502cce
SHA2568a13b0e4f0cabe636cccbb41cbecd0266dae870ffa23a5ec19a99105c2849f25
SHA51200b62220781d67e32b902b46930f01134fd06972d04fcec3f74a40af123d80c8c9f89b0171a26f7d561416f5b2451f0dc0782beacd6474da6dc225169c10dd6a
-
Filesize
993KB
MD524c2f70ff5c6eaddb995f2cbb4bc4890
SHA1c6534a6eb3e1e38fe36332d430eb33eeeb8ecc73
SHA2568dceafaaec28740385b1cb8cf2655db68ecf2e561053bfe494795019542491e4
SHA512d262c1b9162f7fcd121fc4c46ce5e85b5ad0e88cadc075ae6fe157ab407fc8558f9860b2cfcae9ae6119bb631c8b978652d1a93e4c2d093b6e7385e81719acf3
-
Filesize
45KB
MD5a9cc2ff4f9cb6f6f297c598e9f541564
SHA1e38159f04683f0e1ed22baba0e7dcc5a9bc09172
SHA25636a7dd2596598916384044b680d62fc7369d246703a57178c27c74214a78585f
SHA5129d99f546e5fa8c235fef007d8eca990350f35d11cd903c5d91611c133166845834c27b1c6a9132c71776754580d9e62fb5072ce6ada1f48feecbf408ca39026f
-
Filesize
1.3MB
MD5d0e36d53cbcea2ac559fec2c596f5b06
SHA18abe0c059ef3403d067a49cf8abcb883c7f113ec
SHA256ae14e8d2ac9adbbb1c1d2a8001a017ba577663322fe7606c22bc0081d2764bc9
SHA5126cc4a3ede744f81a8e619ee919dfc25e3d16bdcdcf25ec49699d9c1b5511e29d88c67bb7f6936363960838a73e4417668fe6a18220bf777baf174bb8278b69be
-
Filesize
7KB
MD50c82aa0fd6e056b28b4b60b44a59cbfd
SHA1164bdd548b54212313e4f41856e35005b5546fbc
SHA2564e2476c24f65c9fcbfbd1281569ebbf95f69e10f54b1209d9b5487e75b421e0a
SHA512c193be5c309c6f2b48b0fe8938dbdf5052e8d45ebf94d4e887f04fd0ae5309b2b75f3144683ce967cbfcd7bd71b1c2fcf3319f883ee344461af9b94f81306326
-
Filesize
2.2MB
MD559f5348ae2d4632bc8fd9ed9315763ce
SHA118fea9141966aac2fe7a57efcdce0e050b680833
SHA2561d52effeccbac2789ed9a599cf040d4c68e1636319cec3c3e3fd59d16c5aab2e
SHA51247df338b3165e359118489e7badb0b292a9305f1914599df15d655edfab02c8c366fa865746c360fe93e52c2ff92a35ab3a251f2abcd8683b1e2dd55a79697eb
-
Filesize
10KB
MD5bdc7b944b9319f9708af1949b42bae4b
SHA1e88c7b522f64b01b442ffb23f2c5c8656033b22c
SHA25683b5c76d938bc50e58c851d56ef8cbc1001d2e81a1e1f8f5dfed2245244c1472
SHA512df827e76403a1c01e43106e19921c1c958513bc7a3f6d24f74cc790b2575712281261cb7e9c43a86672f2a218c199d5fc05e51f83a58532cbbd10af1b3c5092f
-
Filesize
671KB
MD5cfa3517e25c37e808af38fbeaf7f456e
SHA163d4c4317675b3456d48feab390355c6dc3c37f9
SHA256061926aeaaf4f7e0212552cd4bb5d6af0e8607ec77f6eb836b6612ab86645ac9
SHA512e4b3cf3e2e9a4d1f48ba8760c68dbfa9304159381115eb21d0c1552428f793e2b091a744f3578b5cbf005fd2abe62f43eaf1664a8f346de35e22d5499f036674
-
Filesize
6.4MB
MD590599351500a732b05756c8a5944f4c1
SHA19628b582614970f9b14c8408171f2ffdc1cb086c
SHA2565b222f52c27375a6ca9342a6f1483b46101c5c3dbd82b453cb046a6109e5a48f
SHA512442010ff04bfbe92c55472898efb447e3c4a969fc270df909f70164a5c477b3c33147c271d963a82652a7690493e995dd63bcac997f511aec139be2172de2ae9
-
Filesize
14KB
MD5c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
Filesize
89KB
MD5f1134b690b2dc0e6aa0f31be1ed9b05f
SHA19c27067c0070b9d9366da78c3d241b01ba1fa4ee
SHA256030bf1aaff316dfbb1b424d91b1340b331c2e38f3e874ae532284c6170d93e7e
SHA5127db97dd004c2d9ce28cd3856f32d96d3a2f696f922c188dbc1150ba35c9a859cdb8d5ed0264a437944ef0fb662f801e2af66f5ecce58c8ee9d2ebf852af8f170