Analysis
-
max time kernel
136s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 06:21
Static task
static1
Behavioral task
behavioral1
Sample
711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe
-
Size
346KB
-
MD5
711b2ba3081b8a5f52e36bbaec636455
-
SHA1
81b66bc82220bf78e4e89173f96f7288390ad1db
-
SHA256
c1b8175d273e0adcb61925a46e829cef90291a44c5a7a86c82a05dc42f0ae73d
-
SHA512
0d2321387afdb47f27e9776000c018733fdb9371e6a061d797512b0efd60222134db8f0f5246c24f53579f6c9926bf58910fbe76516bc64637a3a0a8f1073dbf
-
SSDEEP
3072:H3Vh8Z2IuSCe956HH8UiBIHm3mvQS0ghQ9QS789W5rQekiiL2isU2j2MmVsrKG+o:X0kQCS789W5cNi9U2j2MmVs
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.execulturesat.execulturesat.exepid process 2104 711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe 2104 711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe 4072 711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe 4072 711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe 1312 culturesat.exe 1312 culturesat.exe 740 culturesat.exe 740 culturesat.exe 740 culturesat.exe 740 culturesat.exe 740 culturesat.exe 740 culturesat.exe 740 culturesat.exe 740 culturesat.exe 740 culturesat.exe 740 culturesat.exe 740 culturesat.exe 740 culturesat.exe 740 culturesat.exe 740 culturesat.exe 740 culturesat.exe 740 culturesat.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exepid process 4072 711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.execulturesat.exedescription pid process target process PID 2104 wrote to memory of 4072 2104 711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe 711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe PID 2104 wrote to memory of 4072 2104 711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe 711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe PID 2104 wrote to memory of 4072 2104 711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe 711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe PID 1312 wrote to memory of 740 1312 culturesat.exe culturesat.exe PID 1312 wrote to memory of 740 1312 culturesat.exe culturesat.exe PID 1312 wrote to memory of 740 1312 culturesat.exe culturesat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\711b2ba3081b8a5f52e36bbaec636455_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:4072
-
C:\Windows\SysWOW64\culturesat.exe"C:\Windows\SysWOW64\culturesat.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\culturesat.exe"C:\Windows\SysWOW64\culturesat.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/740-25-0x0000000000700000-0x000000000071A000-memory.dmpFilesize
104KB
-
memory/740-31-0x00000000006D0000-0x00000000006EA000-memory.dmpFilesize
104KB
-
memory/740-21-0x0000000000700000-0x000000000071A000-memory.dmpFilesize
104KB
-
memory/740-26-0x00000000006D0000-0x00000000006EA000-memory.dmpFilesize
104KB
-
memory/740-27-0x0000000000720000-0x0000000000730000-memory.dmpFilesize
64KB
-
memory/1312-19-0x0000000000530000-0x000000000054A000-memory.dmpFilesize
104KB
-
memory/1312-20-0x0000000000550000-0x0000000000560000-memory.dmpFilesize
64KB
-
memory/1312-28-0x00000000004F0000-0x000000000050A000-memory.dmpFilesize
104KB
-
memory/1312-14-0x00000000004F0000-0x000000000050A000-memory.dmpFilesize
104KB
-
memory/1312-15-0x0000000000530000-0x000000000054A000-memory.dmpFilesize
104KB
-
memory/2104-6-0x0000000000630000-0x0000000000640000-memory.dmpFilesize
64KB
-
memory/2104-4-0x0000000000610000-0x000000000062A000-memory.dmpFilesize
104KB
-
memory/2104-5-0x00000000005E0000-0x00000000005FA000-memory.dmpFilesize
104KB
-
memory/2104-0-0x0000000000610000-0x000000000062A000-memory.dmpFilesize
104KB
-
memory/4072-13-0x00000000004F0000-0x0000000000500000-memory.dmpFilesize
64KB
-
memory/4072-11-0x0000000000550000-0x000000000056A000-memory.dmpFilesize
104KB
-
memory/4072-12-0x0000000000530000-0x000000000054A000-memory.dmpFilesize
104KB
-
memory/4072-7-0x0000000000550000-0x000000000056A000-memory.dmpFilesize
104KB
-
memory/4072-30-0x0000000000530000-0x000000000054A000-memory.dmpFilesize
104KB
-
memory/4072-29-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB