Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 15:11
Static task
static1
Behavioral task
behavioral1
Sample
8129f5c2ea12bcdb5692e51836a42e04_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8129f5c2ea12bcdb5692e51836a42e04_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
8129f5c2ea12bcdb5692e51836a42e04_JaffaCakes118.exe
-
Size
186KB
-
MD5
8129f5c2ea12bcdb5692e51836a42e04
-
SHA1
3786c64ddaba900425149737008311d61bc15498
-
SHA256
fcb24a9cb3150900c86e239ddf537543f7a3e92d01da38f6ffd4106aecd7e29d
-
SHA512
40eb6b8924ab396376d36dc7c8c0d09a0f6e3bb56b548020ec9f9490e27db88d9da7cbe20f8e69ef105b80948807300feb069692751934da6bc4d10b7a2369d8
-
SSDEEP
3072:TQ/lV7kaoeogcqYeDHw30wi857goKkqglu09NPD5yLGVkaYG51eE3jEzS+NMmDbe:+3YYV07goKjgp9DUW71euYfdf/VGWOT5
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2356 WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 2232 kkaaya.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\kkaaya.exe" 8129f5c2ea12bcdb5692e51836a42e04_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\kkaaya.exe 8129f5c2ea12bcdb5692e51836a42e04_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kkaaya.exe 8129f5c2ea12bcdb5692e51836a42e04_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1384 wrote to memory of 2356 1384 8129f5c2ea12bcdb5692e51836a42e04_JaffaCakes118.exe 29 PID 1384 wrote to memory of 2356 1384 8129f5c2ea12bcdb5692e51836a42e04_JaffaCakes118.exe 29 PID 1384 wrote to memory of 2356 1384 8129f5c2ea12bcdb5692e51836a42e04_JaffaCakes118.exe 29 PID 1384 wrote to memory of 2356 1384 8129f5c2ea12bcdb5692e51836a42e04_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8129f5c2ea12bcdb5692e51836a42e04_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8129f5c2ea12bcdb5692e51836a42e04_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\4481.vbs"2⤵
- Deletes itself
PID:2356
-
-
C:\Windows\SysWOW64\kkaaya.exeC:\Windows\SysWOW64\kkaaya.exe1⤵
- Executes dropped EXE
PID:2232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
500B
MD594886278d0f286b4386d17fd4a380edc
SHA136fb8ccc12c010cc9ddbeacef91b1b5fc3f92f40
SHA2563f2ac0f1ff88f7e493c78edc7d4090b248177c0643ee92c128e2160642ede786
SHA512ac87d89a1ce72236bebe791c5af9f03e2775ca38e894bffc43a4bd10fa06f0d2f11d5d062757039d2708689c6903d3b8cb272e7990469428cf07a67504b4f031
-
Filesize
186KB
MD58129f5c2ea12bcdb5692e51836a42e04
SHA13786c64ddaba900425149737008311d61bc15498
SHA256fcb24a9cb3150900c86e239ddf537543f7a3e92d01da38f6ffd4106aecd7e29d
SHA51240eb6b8924ab396376d36dc7c8c0d09a0f6e3bb56b548020ec9f9490e27db88d9da7cbe20f8e69ef105b80948807300feb069692751934da6bc4d10b7a2369d8