Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 07:59
Static task
static1
Behavioral task
behavioral1
Sample
8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe
-
Size
347KB
-
MD5
8d6186658958e29ff84ac8e8d45c96cf
-
SHA1
0418a6f893eb8095cc5c2cdc702bd7c420739c00
-
SHA256
0b501e2cedad1838304551cb04498cfe2f47fb31ca7c0a4a05bd444a7f039158
-
SHA512
862c2b257386ad23f9a520e65a5595517294fa9f4425c94055f0db7a2714b7b000744beb170f630999a701128a8131632137bb0b81ba7052eddcd2a5c0a85f5a
-
SSDEEP
3072:c3X55K8ivf2WETl4QuNRLurVzwefoh5/nmXkQr5D0elEo81WZfZ4bIGDiIkya9gu:+we8/mzielEP1aZ4cGOI+gSS3rM
Malware Config
Signatures
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 148.103.9.108 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exepanesdiag.exepanesdiag.exepid process 2720 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe 2720 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe 3908 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe 3908 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe 5016 panesdiag.exe 5016 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe 4168 panesdiag.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exepid process 3908 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exepanesdiag.exedescription pid process target process PID 2720 wrote to memory of 3908 2720 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe PID 2720 wrote to memory of 3908 2720 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe PID 2720 wrote to memory of 3908 2720 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe 8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe PID 5016 wrote to memory of 4168 5016 panesdiag.exe panesdiag.exe PID 5016 wrote to memory of 4168 5016 panesdiag.exe panesdiag.exe PID 5016 wrote to memory of 4168 5016 panesdiag.exe panesdiag.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8d6186658958e29ff84ac8e8d45c96cf_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:3908
-
C:\Windows\SysWOW64\panesdiag.exe"C:\Windows\SysWOW64\panesdiag.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\panesdiag.exe"C:\Windows\SysWOW64\panesdiag.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4168