Analysis
-
max time kernel
137s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 08:24
Static task
static1
Behavioral task
behavioral1
Sample
a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe
-
Size
293KB
-
MD5
a49e24978c3933b375acd7a4a7c71797
-
SHA1
013f116fc1490ef6e8cc91cf9c9076bedd44942b
-
SHA256
82f081c80544c15d8b5a34e73a670c96e5522b160f30c48fcdb610403bb2a19c
-
SHA512
9e68be5af3740c23b8417c0e12aca67cb755b3c618b97064e0351e75fcaef73bbb8db204943504c6ca005b99f57d05d702020bb2045a62e59a92734f2bc74142
-
SSDEEP
6144:wXZeWvWV0NXXq3LHGNaY0rpi9E0+o3buGS/6IauJaQ8MJ:wZOV0Bq7HGNp0rpq+oru8I/
Malware Config
Signatures
-
Executes dropped EXE 10 IoCs
pid Process 2844 taskmgnr.exe 2864 taskmgnr.exe 2496 taskmgnr.exe 1800 taskmgnr.exe 2840 taskmgnr.exe 1324 taskmgnr.exe 1040 taskmgnr.exe 1060 taskmgnr.exe 2508 taskmgnr.exe 1936 taskmgnr.exe -
Loads dropped DLL 20 IoCs
pid Process 2920 a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe 2920 a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe 2844 taskmgnr.exe 2844 taskmgnr.exe 2864 taskmgnr.exe 2864 taskmgnr.exe 2496 taskmgnr.exe 2496 taskmgnr.exe 1800 taskmgnr.exe 1800 taskmgnr.exe 2840 taskmgnr.exe 2840 taskmgnr.exe 1324 taskmgnr.exe 1324 taskmgnr.exe 1040 taskmgnr.exe 1040 taskmgnr.exe 1060 taskmgnr.exe 1060 taskmgnr.exe 2508 taskmgnr.exe 2508 taskmgnr.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2920 wrote to memory of 2844 2920 a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe 28 PID 2920 wrote to memory of 2844 2920 a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe 28 PID 2920 wrote to memory of 2844 2920 a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe 28 PID 2920 wrote to memory of 2844 2920 a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe 28 PID 2844 wrote to memory of 2864 2844 taskmgnr.exe 29 PID 2844 wrote to memory of 2864 2844 taskmgnr.exe 29 PID 2844 wrote to memory of 2864 2844 taskmgnr.exe 29 PID 2844 wrote to memory of 2864 2844 taskmgnr.exe 29 PID 2864 wrote to memory of 2496 2864 taskmgnr.exe 30 PID 2864 wrote to memory of 2496 2864 taskmgnr.exe 30 PID 2864 wrote to memory of 2496 2864 taskmgnr.exe 30 PID 2864 wrote to memory of 2496 2864 taskmgnr.exe 30 PID 2496 wrote to memory of 1800 2496 taskmgnr.exe 33 PID 2496 wrote to memory of 1800 2496 taskmgnr.exe 33 PID 2496 wrote to memory of 1800 2496 taskmgnr.exe 33 PID 2496 wrote to memory of 1800 2496 taskmgnr.exe 33 PID 1800 wrote to memory of 2840 1800 taskmgnr.exe 34 PID 1800 wrote to memory of 2840 1800 taskmgnr.exe 34 PID 1800 wrote to memory of 2840 1800 taskmgnr.exe 34 PID 1800 wrote to memory of 2840 1800 taskmgnr.exe 34 PID 2840 wrote to memory of 1324 2840 taskmgnr.exe 35 PID 2840 wrote to memory of 1324 2840 taskmgnr.exe 35 PID 2840 wrote to memory of 1324 2840 taskmgnr.exe 35 PID 2840 wrote to memory of 1324 2840 taskmgnr.exe 35 PID 1324 wrote to memory of 1040 1324 taskmgnr.exe 36 PID 1324 wrote to memory of 1040 1324 taskmgnr.exe 36 PID 1324 wrote to memory of 1040 1324 taskmgnr.exe 36 PID 1324 wrote to memory of 1040 1324 taskmgnr.exe 36 PID 1040 wrote to memory of 1060 1040 taskmgnr.exe 37 PID 1040 wrote to memory of 1060 1040 taskmgnr.exe 37 PID 1040 wrote to memory of 1060 1040 taskmgnr.exe 37 PID 1040 wrote to memory of 1060 1040 taskmgnr.exe 37 PID 1060 wrote to memory of 2508 1060 taskmgnr.exe 38 PID 1060 wrote to memory of 2508 1060 taskmgnr.exe 38 PID 1060 wrote to memory of 2508 1060 taskmgnr.exe 38 PID 1060 wrote to memory of 2508 1060 taskmgnr.exe 38 PID 2508 wrote to memory of 1936 2508 taskmgnr.exe 39 PID 2508 wrote to memory of 1936 2508 taskmgnr.exe 39 PID 2508 wrote to memory of 1936 2508 taskmgnr.exe 39 PID 2508 wrote to memory of 1936 2508 taskmgnr.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 476 "C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 528 "C:\Windows\SysWOW64\taskmgnr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 536 "C:\Windows\SysWOW64\taskmgnr.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 544 "C:\Windows\SysWOW64\taskmgnr.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 532 "C:\Windows\SysWOW64\taskmgnr.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 540 "C:\Windows\SysWOW64\taskmgnr.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 552 "C:\Windows\SysWOW64\taskmgnr.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 556 "C:\Windows\SysWOW64\taskmgnr.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 548 "C:\Windows\SysWOW64\taskmgnr.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 560 "C:\Windows\SysWOW64\taskmgnr.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1936
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
293KB
MD5a49e24978c3933b375acd7a4a7c71797
SHA1013f116fc1490ef6e8cc91cf9c9076bedd44942b
SHA25682f081c80544c15d8b5a34e73a670c96e5522b160f30c48fcdb610403bb2a19c
SHA5129e68be5af3740c23b8417c0e12aca67cb755b3c618b97064e0351e75fcaef73bbb8db204943504c6ca005b99f57d05d702020bb2045a62e59a92734f2bc74142