Analysis
-
max time kernel
137s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 08:24
Static task
static1
Behavioral task
behavioral1
Sample
a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe
-
Size
293KB
-
MD5
a49e24978c3933b375acd7a4a7c71797
-
SHA1
013f116fc1490ef6e8cc91cf9c9076bedd44942b
-
SHA256
82f081c80544c15d8b5a34e73a670c96e5522b160f30c48fcdb610403bb2a19c
-
SHA512
9e68be5af3740c23b8417c0e12aca67cb755b3c618b97064e0351e75fcaef73bbb8db204943504c6ca005b99f57d05d702020bb2045a62e59a92734f2bc74142
-
SSDEEP
6144:wXZeWvWV0NXXq3LHGNaY0rpi9E0+o3buGS/6IauJaQ8MJ:wZOV0Bq7HGNp0rpq+oru8I/
Malware Config
Signatures
-
Executes dropped EXE 10 IoCs
pid Process 1400 taskmgnr.exe 1956 taskmgnr.exe 2348 taskmgnr.exe 4628 taskmgnr.exe 3852 taskmgnr.exe 1676 taskmgnr.exe 3260 taskmgnr.exe 2368 taskmgnr.exe 1200 taskmgnr.exe 1228 taskmgnr.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File created C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe File opened for modification C:\Windows\SysWOW64\taskmgnr.exe taskmgnr.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 5092 wrote to memory of 1400 5092 a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe 81 PID 5092 wrote to memory of 1400 5092 a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe 81 PID 5092 wrote to memory of 1400 5092 a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe 81 PID 1400 wrote to memory of 1956 1400 taskmgnr.exe 85 PID 1400 wrote to memory of 1956 1400 taskmgnr.exe 85 PID 1400 wrote to memory of 1956 1400 taskmgnr.exe 85 PID 1956 wrote to memory of 2348 1956 taskmgnr.exe 88 PID 1956 wrote to memory of 2348 1956 taskmgnr.exe 88 PID 1956 wrote to memory of 2348 1956 taskmgnr.exe 88 PID 2348 wrote to memory of 4628 2348 taskmgnr.exe 90 PID 2348 wrote to memory of 4628 2348 taskmgnr.exe 90 PID 2348 wrote to memory of 4628 2348 taskmgnr.exe 90 PID 4628 wrote to memory of 3852 4628 taskmgnr.exe 91 PID 4628 wrote to memory of 3852 4628 taskmgnr.exe 91 PID 4628 wrote to memory of 3852 4628 taskmgnr.exe 91 PID 3852 wrote to memory of 1676 3852 taskmgnr.exe 92 PID 3852 wrote to memory of 1676 3852 taskmgnr.exe 92 PID 3852 wrote to memory of 1676 3852 taskmgnr.exe 92 PID 1676 wrote to memory of 3260 1676 taskmgnr.exe 93 PID 1676 wrote to memory of 3260 1676 taskmgnr.exe 93 PID 1676 wrote to memory of 3260 1676 taskmgnr.exe 93 PID 3260 wrote to memory of 2368 3260 taskmgnr.exe 94 PID 3260 wrote to memory of 2368 3260 taskmgnr.exe 94 PID 3260 wrote to memory of 2368 3260 taskmgnr.exe 94 PID 2368 wrote to memory of 1200 2368 taskmgnr.exe 95 PID 2368 wrote to memory of 1200 2368 taskmgnr.exe 95 PID 2368 wrote to memory of 1200 2368 taskmgnr.exe 95 PID 1200 wrote to memory of 1228 1200 taskmgnr.exe 96 PID 1200 wrote to memory of 1228 1200 taskmgnr.exe 96 PID 1200 wrote to memory of 1228 1200 taskmgnr.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 1032 "C:\Users\Admin\AppData\Local\Temp\a49e24978c3933b375acd7a4a7c71797_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 1152 "C:\Windows\SysWOW64\taskmgnr.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 1124 "C:\Windows\SysWOW64\taskmgnr.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 1128 "C:\Windows\SysWOW64\taskmgnr.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 1140 "C:\Windows\SysWOW64\taskmgnr.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 1132 "C:\Windows\SysWOW64\taskmgnr.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 1116 "C:\Windows\SysWOW64\taskmgnr.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 1148 "C:\Windows\SysWOW64\taskmgnr.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 1156 "C:\Windows\SysWOW64\taskmgnr.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\taskmgnr.exeC:\Windows\system32\taskmgnr.exe 1160 "C:\Windows\SysWOW64\taskmgnr.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1228
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
293KB
MD5a49e24978c3933b375acd7a4a7c71797
SHA1013f116fc1490ef6e8cc91cf9c9076bedd44942b
SHA25682f081c80544c15d8b5a34e73a670c96e5522b160f30c48fcdb610403bb2a19c
SHA5129e68be5af3740c23b8417c0e12aca67cb755b3c618b97064e0351e75fcaef73bbb8db204943504c6ca005b99f57d05d702020bb2045a62e59a92734f2bc74142