Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 02:25
Static task
static1
Behavioral task
behavioral1
Sample
69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
-
Size
661KB
-
MD5
69715a3737689f3af82dc9fe678daeaa
-
SHA1
10cec059bb7fc0a6aadf00c7e5c67c642d1115dc
-
SHA256
5478b2ab4bda3cafc824665cd1a7dafa6d9111aa5728d99b1af1a6012fea68d5
-
SHA512
752c3cb7802fff37d165251a420d16f9a211e692e04e3c20794e5b2c82619e11ab3f6858642313bb32ae4effd4a7f2ad8f4ca34b298d31fff5dd10b6417f08ca
-
SSDEEP
12288:faWzgMg7v3qnCiMErQohh0F4CCJ8lnyC8ri6a:CaHMv6CorjqnyC8r2
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2300 svchost.exe 2788 svchost.exe -
Loads dropped DLL 4 IoCs
pid Process 1960 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe 1960 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe 1960 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe 1960 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2392-0-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/files/0x0007000000012120-13.dat autoit_exe behavioral1/memory/2300-28-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2392 set thread context of 1960 2392 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe 28 PID 2300 set thread context of 2788 2300 svchost.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1960 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe 2788 svchost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2392 wrote to memory of 1960 2392 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe 28 PID 2392 wrote to memory of 1960 2392 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe 28 PID 2392 wrote to memory of 1960 2392 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe 28 PID 2392 wrote to memory of 1960 2392 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe 28 PID 2392 wrote to memory of 1960 2392 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe 28 PID 2392 wrote to memory of 1960 2392 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe 28 PID 1960 wrote to memory of 2300 1960 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe 29 PID 1960 wrote to memory of 2300 1960 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe 29 PID 1960 wrote to memory of 2300 1960 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe 29 PID 1960 wrote to memory of 2300 1960 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe 29 PID 2300 wrote to memory of 2788 2300 svchost.exe 30 PID 2300 wrote to memory of 2788 2300 svchost.exe 30 PID 2300 wrote to memory of 2788 2300 svchost.exe 30 PID 2300 wrote to memory of 2788 2300 svchost.exe 30 PID 2300 wrote to memory of 2788 2300 svchost.exe 30 PID 2300 wrote to memory of 2788 2300 svchost.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2788
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
661KB
MD569715a3737689f3af82dc9fe678daeaa
SHA110cec059bb7fc0a6aadf00c7e5c67c642d1115dc
SHA2565478b2ab4bda3cafc824665cd1a7dafa6d9111aa5728d99b1af1a6012fea68d5
SHA512752c3cb7802fff37d165251a420d16f9a211e692e04e3c20794e5b2c82619e11ab3f6858642313bb32ae4effd4a7f2ad8f4ca34b298d31fff5dd10b6417f08ca