Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 05:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe
Resource
win7-20240221-en
7 signatures
150 seconds
General
-
Target
663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe
-
Size
140KB
-
MD5
663bd5680043ed438a43cbcf80379654
-
SHA1
cfaa08ea4843c6aae0c5e19d70ad2d86333e9e2e
-
SHA256
987c0d5b77345fdb979da45817424b80f08416ece53e67693b80c041228ae37e
-
SHA512
851cff7c02c60fa19c526e6d8b2ea29b3ea674a92d5cf94469cab5b668de4cfff2da56d0eef37d064910099521e1566fd79a08f73bae34cfbd8c2f5a15fc5126
-
SSDEEP
3072:Hyb5zxdwWjXhBqm9NCbg1UbIDzblnfiw:gdRDhBqm9NC81WInblnx
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 3272 663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe 3272 663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe 1208 663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe 1208 663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe 3528 oldroyale.exe 3528 oldroyale.exe 3204 oldroyale.exe 3204 oldroyale.exe 3204 oldroyale.exe 3204 oldroyale.exe 3204 oldroyale.exe 3204 oldroyale.exe 3204 oldroyale.exe 3204 oldroyale.exe 3204 oldroyale.exe 3204 oldroyale.exe 3204 oldroyale.exe 3204 oldroyale.exe 3204 oldroyale.exe 3204 oldroyale.exe 3204 oldroyale.exe 3204 oldroyale.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1208 663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3272 wrote to memory of 1208 3272 663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe 82 PID 3272 wrote to memory of 1208 3272 663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe 82 PID 3272 wrote to memory of 1208 3272 663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe 82 PID 3528 wrote to memory of 3204 3528 oldroyale.exe 88 PID 3528 wrote to memory of 3204 3528 oldroyale.exe 88 PID 3528 wrote to memory of 3204 3528 oldroyale.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1208
-
-
C:\Windows\SysWOW64\oldroyale.exe"C:\Windows\SysWOW64\oldroyale.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\oldroyale.exe"C:\Windows\SysWOW64\oldroyale.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3204
-