Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 05:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8cff2813ab1c41a83dce3b9d787fa7e4_JaffaCakes118.exe
Resource
win7-20240215-en
4 signatures
150 seconds
General
-
Target
8cff2813ab1c41a83dce3b9d787fa7e4_JaffaCakes118.exe
-
Size
272KB
-
MD5
8cff2813ab1c41a83dce3b9d787fa7e4
-
SHA1
1c9b42759fa2fe35b22af3fd851dfb8a4876f73b
-
SHA256
52386b4709a9e28a32fd6714d23ed65bf2f0dfe5823adf1f96ae969efe0e0e3c
-
SHA512
e754ee7431c481280e9082c90e5340ad0b2b6bbb68662e7b14803edef4c64ce4c695d26a37a5630ef9a8bebacd1d5b28b37db9d2a40b6d6e2735ae7c55165d49
-
SSDEEP
6144:CjJgbWo2lvryRVR9Zc6pR+lgT5mLiekc50zJ6qqGiRoPFu+lRzc3bh:C+WVlvkR/+lgTzekOsJ6qq1Rmu+lFc3V
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
cardsmrm.exepid process 1224 cardsmrm.exe 1224 cardsmrm.exe 1224 cardsmrm.exe 1224 cardsmrm.exe 1224 cardsmrm.exe 1224 cardsmrm.exe 1224 cardsmrm.exe 1224 cardsmrm.exe 1224 cardsmrm.exe 1224 cardsmrm.exe 1224 cardsmrm.exe 1224 cardsmrm.exe 1224 cardsmrm.exe 1224 cardsmrm.exe 1224 cardsmrm.exe 1224 cardsmrm.exe 1224 cardsmrm.exe 1224 cardsmrm.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cmd.exepid process 704 cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8cff2813ab1c41a83dce3b9d787fa7e4_JaffaCakes118.exedescription pid process target process PID 748 wrote to memory of 704 748 8cff2813ab1c41a83dce3b9d787fa7e4_JaffaCakes118.exe cmd.exe PID 748 wrote to memory of 704 748 8cff2813ab1c41a83dce3b9d787fa7e4_JaffaCakes118.exe cmd.exe PID 748 wrote to memory of 704 748 8cff2813ab1c41a83dce3b9d787fa7e4_JaffaCakes118.exe cmd.exe PID 748 wrote to memory of 1224 748 8cff2813ab1c41a83dce3b9d787fa7e4_JaffaCakes118.exe cardsmrm.exe PID 748 wrote to memory of 1224 748 8cff2813ab1c41a83dce3b9d787fa7e4_JaffaCakes118.exe cardsmrm.exe PID 748 wrote to memory of 1224 748 8cff2813ab1c41a83dce3b9d787fa7e4_JaffaCakes118.exe cardsmrm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cff2813ab1c41a83dce3b9d787fa7e4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8cff2813ab1c41a83dce3b9d787fa7e4_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\cmd.execmd.exe /C move /Y "C:\Users\Admin\AppData\Local\Temp\8cff2813ab1c41a83dce3b9d787fa7e4_JaffaCakes118.exe" "C:\Windows\SysWOW64\cardsmrm.exe"2⤵
- Suspicious behavior: RenamesItself
PID:704 -
C:\Windows\SysWOW64\cardsmrm.exe"C:\Windows\SysWOW64\cardsmrm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1224