Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 22:55
Static task
static1
Behavioral task
behavioral1
Sample
a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe
-
Size
85KB
-
MD5
a2ce5a73ea2d54fdd4e9a5129f39d8fe
-
SHA1
433c6d8322db270b3a677b3c46ecc518636f99b2
-
SHA256
06e187ee90ec1e32e8e0bb61a7f806a92dabe74d104a11b5b927c1bd23847524
-
SHA512
53fdce94128898a3d3efa7481f61f399f62fe4a5f302c6a59f1b63b22dde16c7278e3166d9eb16c9b71e4b327b8540d46eda24451fc3b24631c19f4b5b6f662b
-
SSDEEP
1536:fCaIoX1oYOcbTMV88TXJLE7iwhKKS2gE2wGu3SzR3:fCaZ2Yrb0VTXJY7iZKUE2wGuih
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 5064 iWinGames.exe 4564 InstGameInfoHelper.exe -
Loads dropped DLL 8 IoCs
pid Process 4972 a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe 4972 a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe 4972 a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe 5064 iWinGames.exe 5064 iWinGames.exe 5064 iWinGames.exe 5064 iWinGames.exe 5064 iWinGames.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023682-15.dat nsis_installer_1 behavioral2/files/0x0007000000023682-15.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4972 wrote to memory of 5064 4972 a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe 92 PID 4972 wrote to memory of 5064 4972 a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe 92 PID 4972 wrote to memory of 5064 4972 a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe 92 PID 5064 wrote to memory of 4564 5064 iWinGames.exe 93 PID 5064 wrote to memory of 4564 5064 iWinGames.exe 93 PID 5064 wrote to memory of 4564 5064 iWinGames.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\iWinGames.exeC:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\iWinGames.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\InstGameInfoHelper.exe"C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\InstGameInfoHelper.exe"3⤵
- Executes dropped EXE
PID:4564
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4324,i,1236064252342462940,13180713657498721890,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:81⤵PID:2784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5c430c0a7ef0ac8f80004de7f7898bced
SHA11f698e988bcc19d280a70c3283ff2816bb0db465
SHA256dd4e24bcee7e9e952f1c7cda7532c0b851b87577e1b679380808f22d875c7c96
SHA5123fa4fe59cadb580ab8b452ff7c2dd3802f8f6fe920dee15c81492c0c324ab991471de01fdb6f3ac07e336a90755243a1ef1de1bb5dd1c51cb70918e7192b46b4
-
Filesize
99KB
MD53d3d2bf9c42dbdf97247775c00f22190
SHA17a046170aaeb5e1a29d8c8cd7c32225f49237aa1
SHA25659f09ba2c79a209008e76d0478bb691a9fdb2180d84318d9fc73b10401aa853a
SHA5126e66c4ff467e286cd5dc1d4ccd412fec32cfd01514db6c339fd275eaab5f3b549e223e9330bc61ff19048df70b81b66dfcc78ac351aa2c5ff45cf8d197140466
-
Filesize
18B
MD508e6a153368d8c0fb970a1cf0b60a6fb
SHA14f2ebf2b3eaa65f4d47b34f61622f09bb345606c
SHA2565993da161b24cffbcd13269a3e5a7bff1d65dadbf5a72829e5dbd4a882266973
SHA5120df00d67f04a2edc9f24257114095a5956fdf3d26c6665ccbd9de09de53d047454273b7acf602f81ca4985d65fab263b7dd04938e40db001068b36bc9cdf5dad
-
Filesize
6KB
MD551e63a9c5d6d230ef1c421b2eccd45dc
SHA1c499cdad5c613d71ed3f7e93360f1bbc5748c45d
SHA256cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f
SHA512c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522
-
Filesize
4KB
MD56792b98e5bf4a7835a2e5e533c632494
SHA15f7d25167558a188dbefaadbff2de0595c4ea0b3
SHA2567ef3a4675994c2df47456026bc784837fa8e5fff0519c905abf6a5a3fb9fef25
SHA5128528e97c0e1ee035b6e7f56a53cf699734ea9da84050b28f344b5bf8f13a95e2ce5457b50bb372438192fa12d7fff108df914e516a3aa062a9091ba600511a55
-
Filesize
11KB
MD5960a5c48e25cf2bca332e74e11d825c9
SHA1da35c6816ace5daf4c6c1d57b93b09a82ecdc876
SHA256484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2
SHA512cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da
-
Filesize
512B
MD5bc1a08283ccd7967613219c5cea33048
SHA1a104a940995e6aaf7faaf9a1bd1e061c3e4b0dd8
SHA2563160186021a733b39e860061c5b1fcce905dd595a20ab4db87410f674f958916
SHA5122b235b9076265352a8a2d43804c030f0ecc7168ab3bf3ec73cbef33865c44fe62d683a5f3294bdce77cb44d54fe2f47547133e601f2f1fb08620bd5ccb2a225a
-
Filesize
4.4MB
MD59939c0274f24ae6d6e29dd5580fd88ac
SHA196c2a03086e3afd51430fa0f79026d7a961101ae
SHA256991cefa2b730f298ae402d32ad1e311996354f4bb4ae815c4f979e03b70a5471
SHA512ab230e1b79f14ce6bcde605a5cb0e13c4030fd64c9b86cb1df290455084dcd04c40f2f011ea0e674b52e6f47490ee9bb3f41dc5e07b83187f3c75c13c471bf35
-
Filesize
14KB
MD5a5a4cee2eb89d2687c05ef74299f0dba
SHA1b9bff5987be422887f2f402357b47db2288a1a42
SHA256cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963
SHA512f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0