Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 16:32
Static task
static1
Behavioral task
behavioral1
Sample
a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
a157c71bbf2010904d0ebf204997d559
-
SHA1
c048f6f2885006768d026d10ace1a6db351ffc68
-
SHA256
8df9b797d715806c7025589ba233f95d5a08e1c59317a7cebc29d2e009e6fef2
-
SHA512
864ddafef42b002474b33f789bb51ccc7e3923de72c06e2894c7186282912172ded68b2689f37fe6100d7083244bb1599f6ea9129049accc59d6e3eeb8b7bed5
-
SSDEEP
49152:yJwukbANGDkTjvh1/zxUOLlTlpSmJurwKTH9h:yef4p1rL8Bx
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1276 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2176 a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2176 a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe 2176 a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe 2176 a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2176 wrote to memory of 956 2176 a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe 30 PID 2176 wrote to memory of 956 2176 a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe 30 PID 2176 wrote to memory of 956 2176 a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe 30 PID 2176 wrote to memory of 956 2176 a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe 30 PID 956 wrote to memory of 1276 956 cmd.exe 32 PID 956 wrote to memory of 1276 956 cmd.exe 32 PID 956 wrote to memory of 1276 956 cmd.exe 32 PID 956 wrote to memory of 1276 956 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a157c71bbf2010904d0ebf204997d559_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\27967.bat" "C:\Users\Admin\AppData\Local\Temp\E4FD2F6F1A1742EBA0A13E0DB5937F89\""2⤵
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:1276
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5668767f1e0c7ff2b3960447e259e9f00
SHA132d8abf834cce72f5e845175a0af2513b00504d8
SHA256cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680
-
C:\Users\Admin\AppData\Local\Temp\E4FD2F6F1A1742EBA0A13E0DB5937F89\E4FD2F6F1A1742EBA0A13E0DB5937F89_LogFile.txt
Filesize2KB
MD522fe874f55f0ade058f780de6d359cf5
SHA1cbb6387d90a526f8ea2943898279c526615583d3
SHA256a792147cc12ec10e3552bb9f51d4528dd420edeb26741e59c24d6542824ad63b
SHA512dddac60a2940c1068df87977746a44a1015ce23cde68912633a3b4d6ac6d2c368100a2b42835fef34b8fc9b11bff7be0f2257b2d6dcec277e4cb13aa62b42def
-
C:\Users\Admin\AppData\Local\Temp\E4FD2F6F1A1742EBA0A13E0DB5937F89\E4FD2F6F1A1742EBA0A13E0DB5937F89_LogFile.txt
Filesize5KB
MD56441e1080c836c0c4978f5f30165919b
SHA12a365f8ff321967ac209067d58fe6a016b71feb8
SHA256363d4985ed51d11caaa3893aaedfdf274df0d4d67d0b56b5db96ecdc214a7ce2
SHA512f708b6fd54e9b7e663c221bfb0297929009a96a2253303a774e3fea622a2388463c957954705a89a93dc70225ab525a0774235f11db949237318f068f259f08b
-
C:\Users\Admin\AppData\Local\Temp\E4FD2F6F1A1742EBA0A13E0DB5937F89\E4FD2F6F1A1742EBA0A13E0DB5937F89_LogFile.txt
Filesize2KB
MD522d101d09ee9c25b0c795449a03098c0
SHA141a0fa393a5af805130787a443069c4c0f0581c4
SHA256ab32295ad8528b009b1a9f45595c50c83b39b7324715d2207f6e10dcb8d0cca8
SHA512d5b46a8e039c4025221b14d5406ae28546b95691f2287043acb59b2e3aef305b2d8245ef48eb3bf3dd90beae4edf78af6b17c5d57f357374c89ecebee090f4c6
-
Filesize
106KB
MD51565fb12aed65c905674f1532122889d
SHA1e72e6352cdebeadc305482217a4741282989b636
SHA256e15929de85eae6f05b66b23f6062ca1ebb323067267a7d47d102d8ea3c0defa5
SHA5129f4d151ba20da5d4be38910cca31b841f397404bca52d01deaafe96ece9a8d8394e0de72235640e25fb357f72d7cc6e8fc845055a69c70fb90e7c391851036b4