Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 09:31
Static task
static1
Behavioral task
behavioral1
Sample
804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe
-
Size
1.8MB
-
MD5
804539f335d0fd4413ea225c9c20f637
-
SHA1
1f697641dee7dceefee0d05afb921867136a43d0
-
SHA256
74eee6958f83d3b1edc92f2b1e81602b3f27734de7dfa873dc6e01f1907049d6
-
SHA512
ff57b899b04ec78439623cc13454df10f550ed0e3d47502ed85805b930cda4f7dae9573c8d8ca381e1d22a67fecc0f6af40b657f5b0ee65bbb94c8f49595bcbc
-
SSDEEP
24576:kIm1otJITCexf/s9ROBczm2Y62+AX769CibJbCQx8rMKEFsIJixXidlltzETFdHd:Q1wIT9xf/s9RO+m2CWZQKFs/+OZsy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2872 install.exe -
Loads dropped DLL 5 IoCs
pid Process 1364 804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe 2872 install.exe 2872 install.exe 2872 install.exe 2872 install.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2872 install.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1364 wrote to memory of 2872 1364 804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe 28 PID 1364 wrote to memory of 2872 1364 804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe 28 PID 1364 wrote to memory of 2872 1364 804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe 28 PID 1364 wrote to memory of 2872 1364 804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe 28 PID 1364 wrote to memory of 2872 1364 804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe 28 PID 1364 wrote to memory of 2872 1364 804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe 28 PID 1364 wrote to memory of 2872 1364 804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\804539f335d0fd4413ea225c9c20f637_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5405b1986e23bd7a509535e06e905ac45
SHA15a037e0801d462801f51084162d1cc897f75433a
SHA25615cf80fe4e0629a834ff9b1b04666f4377eeef1f67257d672aa7c3eced09d152
SHA512765285159143755672468a7a98da7caf3c73e9f0a9e31db6fdffde689a0a87220eb31fbb8e0aaa79a02a42f6c94ea4d129d683dc2d6250abc9114d99e3926e49
-
Filesize
4KB
MD5c9a11a08e8dbbcf834d173ab7e1bdad0
SHA16b7f81507e1488f9e6ca8cc2e82f858241dad71d
SHA25668e0556705895c69b412fc89c09f5c97a74aa8144eed32de6cf87e20c6a0fc8c
SHA5125a0ed4bb438fb0c6c1afdc0078cebfd75f30ccf50b16e38b3c4edd8526b7adc89e2379c7b83050f40a36fe2c39975f2c5d6b2f78fba79291ba558135ebe63187
-
Filesize
81KB
MD546a7ea002ef7b103db7a00055e190d37
SHA190be245628bd8e1f75a6952d3286bea68dad1c98
SHA256ffd39503988ebdd48517df412908ad6b01ccdc88d5c2289e60090252a04097a1
SHA51244990f5cd07f0942f8f3c2703d1f8de2dd9ecc917a32fab4056fb3029dd68de5e80f3bd0054efdd9bd100d398c66cfda595701365a418b52241b55d0164033c4
-
Filesize
1.9MB
MD5a7c824cb242e1c78d9e67c88bc390ca4
SHA1f19f74e7aad5baa18fcfb8f86069030934c4e7f3
SHA256b635343d230a62455678805aeb063ca226b11a767234f447ec410067557214ca
SHA51259799f54eca2604438e0670b7f088f71666f872f2daae420b06fc7f8b653643790b355752e38a13347b0654c7d729c1c2b42d67bfe5623e93c60ea58ca202902
-
Filesize
5KB
MD506fba95313f26e300917c6cea4480890
SHA131beee44776f114078fc403e405eaa5936c4bc3b
SHA256594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1
SHA5127dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd
-
Filesize
595KB
MD5ff977f9cde2cdb16fa62a7d4d250f8cb
SHA19461780db5e5317f4c1bb30d72d4bfd823bea075
SHA256d446c9471ece9af75f91c984fc09050e1d0fd4f76c00fde087a63da717ef18d7
SHA5129fa9681d5bdc201dc6e86c66cd5f23896b842f300c4f48e66850903496e19b43268597c1090fb477fb795bc999c6816d70ab3f100b43b4a049026ddf7ddb7cdf