Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 17:16
Behavioral task
behavioral1
Sample
6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe
-
Size
69KB
-
MD5
6f3fcbc1a4d54346e0778b75f898e985
-
SHA1
48312dfd2fe0f97393095c945f657d1ac769b3b0
-
SHA256
56573b5dcf6817999cd7569e2949de7e874aeb1c7bbc125203fb81aac83d9e0d
-
SHA512
2e26309053f7e75ea4b7b68f7235843e28be7c708aecae85523b7d9a8fbe779b79b95cda56ca4232f61d42268f107bc1addd75369f333b3691cb4a49c6ac9597
-
SSDEEP
1536:WZZZZZZZZZZZZpXzzzzzzzzzzzzV9rXounV98hbHnAmMqqU+2bbbAV2/S2Lccu:wBounVyFHjMqqDL2/Lcc
Malware Config
Signatures
-
GandCrab payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2228-0-0x000000000F7C0000-0x000000000F7D6000-memory.dmp family_gandcrab -
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2180 2228 WerFault.exe 6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exedescription pid process target process PID 2228 wrote to memory of 2180 2228 6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe WerFault.exe PID 2228 wrote to memory of 2180 2228 6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe WerFault.exe PID 2228 wrote to memory of 2180 2228 6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe WerFault.exe PID 2228 wrote to memory of 2180 2228 6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f3fcbc1a4d54346e0778b75f898e985_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1242⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2228-0-0x000000000F7C0000-0x000000000F7D6000-memory.dmpFilesize
88KB