Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 01:49
Static task
static1
Behavioral task
behavioral1
Sample
a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe
-
Size
411KB
-
MD5
a79df0b5df8c0b4a0185d28c0f16a910
-
SHA1
bf1423309404fb3c9a58ee9f7c62f8da564e0a34
-
SHA256
88589ff9df936baabc4d0c837069c30507ca0dfe519fb296fe97073f11551810
-
SHA512
3fdbcf5fa8d669ae86138f5bd3eac1f17773f3b440a5e27a6d2f659de223bff5f549044b173d6780eb67cfeadd6233cd8203169264313fa3a545dbcfc2700bae
-
SSDEEP
12288:Y3nZMhJ+ubNJWn8qa/NxK4kbnOmcNirl7:Y3nZqfbvWnA/Rc7zV
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
file.exejj2o5.exejj2o5.exepid process 2552 file.exe 2672 jj2o5.exe 2524 jj2o5.exe -
Loads dropped DLL 9 IoCs
Processes:
WScript.exefile.execsc.exepid process 2440 WScript.exe 2440 WScript.exe 2440 WScript.exe 2552 file.exe 2552 file.exe 2552 file.exe 2552 file.exe 1888 csc.exe 1888 csc.exe -
Processes:
resource yara_rule behavioral1/memory/1888-35-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/1888-38-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/1888-33-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/1888-42-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/1888-41-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/1888-40-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/1888-39-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2524-54-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/1888-58-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2524-62-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2524-61-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2524-60-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2524-63-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2524-64-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2524-66-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/2524-69-0x0000000000400000-0x0000000000473000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
jj2o5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\AudioD = "C:\\Users\\Admin\\AppData\\Roaming\\5bj1o\\jj2o5.exe" jj2o5.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
jj2o5.execsc.exedescription pid process target process PID 2672 set thread context of 1888 2672 jj2o5.exe csc.exe PID 1888 set thread context of 2524 1888 csc.exe jj2o5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
csc.exepid process 1888 csc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jj2o5.exepid process 2524 jj2o5.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exeWScript.exefile.exejj2o5.execsc.exedescription pid process target process PID 2664 wrote to memory of 2440 2664 a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe WScript.exe PID 2664 wrote to memory of 2440 2664 a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe WScript.exe PID 2664 wrote to memory of 2440 2664 a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe WScript.exe PID 2664 wrote to memory of 2440 2664 a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe WScript.exe PID 2664 wrote to memory of 2440 2664 a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe WScript.exe PID 2664 wrote to memory of 2440 2664 a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe WScript.exe PID 2664 wrote to memory of 2440 2664 a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe WScript.exe PID 2440 wrote to memory of 2552 2440 WScript.exe file.exe PID 2440 wrote to memory of 2552 2440 WScript.exe file.exe PID 2440 wrote to memory of 2552 2440 WScript.exe file.exe PID 2440 wrote to memory of 2552 2440 WScript.exe file.exe PID 2440 wrote to memory of 2552 2440 WScript.exe file.exe PID 2440 wrote to memory of 2552 2440 WScript.exe file.exe PID 2440 wrote to memory of 2552 2440 WScript.exe file.exe PID 2552 wrote to memory of 2672 2552 file.exe jj2o5.exe PID 2552 wrote to memory of 2672 2552 file.exe jj2o5.exe PID 2552 wrote to memory of 2672 2552 file.exe jj2o5.exe PID 2552 wrote to memory of 2672 2552 file.exe jj2o5.exe PID 2552 wrote to memory of 2672 2552 file.exe jj2o5.exe PID 2552 wrote to memory of 2672 2552 file.exe jj2o5.exe PID 2552 wrote to memory of 2672 2552 file.exe jj2o5.exe PID 2672 wrote to memory of 1888 2672 jj2o5.exe csc.exe PID 2672 wrote to memory of 1888 2672 jj2o5.exe csc.exe PID 2672 wrote to memory of 1888 2672 jj2o5.exe csc.exe PID 2672 wrote to memory of 1888 2672 jj2o5.exe csc.exe PID 2672 wrote to memory of 1888 2672 jj2o5.exe csc.exe PID 2672 wrote to memory of 1888 2672 jj2o5.exe csc.exe PID 2672 wrote to memory of 1888 2672 jj2o5.exe csc.exe PID 2672 wrote to memory of 1888 2672 jj2o5.exe csc.exe PID 2672 wrote to memory of 1888 2672 jj2o5.exe csc.exe PID 2672 wrote to memory of 1888 2672 jj2o5.exe csc.exe PID 2672 wrote to memory of 1888 2672 jj2o5.exe csc.exe PID 1888 wrote to memory of 2524 1888 csc.exe jj2o5.exe PID 1888 wrote to memory of 2524 1888 csc.exe jj2o5.exe PID 1888 wrote to memory of 2524 1888 csc.exe jj2o5.exe PID 1888 wrote to memory of 2524 1888 csc.exe jj2o5.exe PID 1888 wrote to memory of 2524 1888 csc.exe jj2o5.exe PID 1888 wrote to memory of 2524 1888 csc.exe jj2o5.exe PID 1888 wrote to memory of 2524 1888 csc.exe jj2o5.exe PID 1888 wrote to memory of 2524 1888 csc.exe jj2o5.exe PID 1888 wrote to memory of 2524 1888 csc.exe jj2o5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a79df0b5df8c0b4a0185d28c0f16a910_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\5bj1o\21mso.vbs" s9n8atdb726m22yu9djgd2dq94aibruejymwcr3duz8cv2yuvzaf0yvvtonhmqko7tsf2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\5bj1o\file.exe"C:\Users\Admin\5bj1o\file.exe" -p12343⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Roaming\5bj1o\jj2o5.exe"C:\Users\Admin\AppData\Roaming\5bj1o\jj2o5.exe" s9n8atdb726m22yu9djgd2dq94aibruejymwcr3duz8cv2yuvzaf0yvvtonhmqko7tsf4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"5⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Roaming\5bj1o\jj2o5.exe"C:\Users\Admin\AppData\Roaming\5bj1o\jj2o5.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91B
MD52dbda1ae2282f1b9efbf2d765c52dd0c
SHA1f182e2d4ee60088fbc22e2c0c647ef75304e6d42
SHA256ffb5a9e68035a2c477f197468762093d45aeae71ca6d868abca045f9eda8a578
SHA512bf2f3fc7e3e8b301ef049a74b7206d4729c427a802d0015e446c49fd866728d4fb0da8aa9989ec500d4885b67af021c247cd78a596185a5882252988a22dbc39
-
Filesize
529KB
MD538bed34868d64ba9f4a11d3e763539a0
SHA1edb562a987a4f0d73cb80606527d46412ea63a0b
SHA256897e6a82490cd866b0a256c4a73bd685d4c4afd3187587bb89c082a9ebe18c52
SHA5126966b8a7114254faf37c383f7e0122011afa0fb67d8d140137e19b812e5f56d5418910f2731343a70612d4527f8e60f9272f70e512cd2b7e54f8555641265f1d
-
Filesize
352KB
MD5fca6394ebe877f9cc47c74e8f3ffa0b5
SHA14165e2f428aab58dc41dd73f26162aaea96cf5b2
SHA2566654d8fd7b3f09059b3bb90a2849e829247231e40de778a7a3427ecef7c9da95
SHA512b3b2a0f72c40038a9f4d67e7fd313df27387e817b1d118e5a0eaa522b2e22505d64f5152d7ef766a69a84829d340ad008f0b080f0fc363ef435192faa5dc3f34
-
Filesize
42KB
MD5ea91e005c6920683a4526839f7745482
SHA1432058655709f00958f287b6413ed5750ff69577
SHA2568be60bfbca8d12da042e25fb2254bd7aa3e13516a3df62faf3b1ed9c3340e449
SHA512971903238c0272ee5a540a34807f0d6b44ecb582e3e0d216b9e8579a2f37e934dde86109815353d62f66373575f3a788166d7d8798b3fb2b5df07fb60c1c16bc