Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 07:35
Static task
static1
Behavioral task
behavioral1
Sample
a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
a473b5198f8f8a862cefab74dadef499
-
SHA1
765ed46149c8ee653125c9d98d27e6e654c8f03e
-
SHA256
d5ea117bf8c3f798f9d61f546af074e36f0162ce48af1c72210f76024fef82ce
-
SHA512
59a57c75af8c4a5c80c49f7f4a5fe4592b48c4770de15eef593f6469ab48a087b56fef0783727ad1d8dcf623f981a8ffd0afd35795e8e7cb9a04993f195b0364
-
SSDEEP
49152:WZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9h:WGIjR1Oh0TN
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1328 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2820 a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2820 a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe 2820 a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe 2820 a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2092 2820 a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2092 2820 a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2092 2820 a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2092 2820 a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe 30 PID 2092 wrote to memory of 1328 2092 cmd.exe 32 PID 2092 wrote to memory of 1328 2092 cmd.exe 32 PID 2092 wrote to memory of 1328 2092 cmd.exe 32 PID 2092 wrote to memory of 1328 2092 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a473b5198f8f8a862cefab74dadef499_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\16386.bat" "C:\Users\Admin\AppData\Local\Temp\12D3F88BDE924735A055ED4CDFE3E938\""2⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
PID:1328
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\12D3F88BDE924735A055ED4CDFE3E938\12D3F88BDE924735A055ED4CDFE3E938_LogFile.txt
Filesize10KB
MD5d1a28c1e4fb2ee1c91cc91a199318ae8
SHA1091dbc0005b0233626c01483d1ff50c528007318
SHA256bad9c3c84c9e693c3aaef8e97ffe5585dc80870e181e0d1e6dd48662f365bf89
SHA512e3024b6c85db41ada301fad763b68e655be905f84de9625ccfdf7411108148702712525b01b59a16facdf5b4e083d58d6d6b14fd959f2e5221802c8208ebc728
-
Filesize
106KB
MD5606aea6b53e36d7d1a719a89658f7468
SHA160134ea5a8dda1538df371af8496cc1774b67260
SHA25671b5d331250ce7b63cb69af4b93d806aa0580bb35db0ac07dde136f6a41dafd7
SHA512054b4b890ea34873f7bcd0987c4ed8aeca8edf72bf7e9ab12a48f815cbba1590fd68e155355795f191dc7faef59048d9098f81e137a4ae681326de75fa50b0db
-
Filesize
212B
MD5668767f1e0c7ff2b3960447e259e9f00
SHA132d8abf834cce72f5e845175a0af2513b00504d8
SHA256cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d
SHA512c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680