Analysis
-
max time kernel
137s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 07:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe
-
Size
275KB
-
MD5
8d6146eed06d626d31499c689dbdacdc
-
SHA1
d85b600d2457a5948e92956d1dbb9160aa05a88e
-
SHA256
01d06594c1418a2f58d827174255e372848d80a1eb037b9ae733e4b21a918cd2
-
SHA512
f269aed0b8d1d137bac7b3af8c461b57488b9a41e0fa8f6f0559f12f7c58ffdd0317db8ab1daddc71d1accfafc58dc4b79a4d61841441c071a489d17831e7fa9
-
SSDEEP
3072:jVFKX2GybFw1w8oayTMtu+5x4Rd17bo5PLF0MNseNI3920h:jTKX2b+a8oRTMY+H4Rv7OPLmMN3NIv
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exeexampletvout.exeexampletvout.exepid process 4700 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe 4700 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe 2464 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe 2464 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe 3456 exampletvout.exe 3456 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe 4192 exampletvout.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exepid process 2464 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exeexampletvout.exedescription pid process target process PID 4700 wrote to memory of 2464 4700 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe PID 4700 wrote to memory of 2464 4700 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe PID 4700 wrote to memory of 2464 4700 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe PID 3456 wrote to memory of 4192 3456 exampletvout.exe exampletvout.exe PID 3456 wrote to memory of 4192 3456 exampletvout.exe exampletvout.exe PID 3456 wrote to memory of 4192 3456 exampletvout.exe exampletvout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2464
-
C:\Windows\SysWOW64\exampletvout.exe"C:\Windows\SysWOW64\exampletvout.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\exampletvout.exe"C:\Windows\SysWOW64\exampletvout.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4192