Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 20:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe
Resource
win7-20240611-en
5 signatures
150 seconds
General
-
Target
b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe
-
Size
174KB
-
MD5
b9ebda873738c0085d326db3fb580585
-
SHA1
9784d374e7835547ece6de252a7d16057d90bc7d
-
SHA256
ec61ad3dc501ed0fdecfe3abd8916e1ce6246ceb99cfa9f8f9736aad0ac5529b
-
SHA512
7064065b2b09dab685399058ffe78a72fd1e333e59cd00c98159edd28c2d98f09cad6155442c7dc27cec5af578eebf17b02b7fa952f024e4984f199eb33ba8f5
-
SSDEEP
3072:XP+zlbNH/1l+JSPR+vjl9WTddK/mAcbTVe7UFtK:WzlbZe0PU59WnGUEAFt
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
b9ebda873738c0085d326db3fb580585_JaffaCakes118.exeb9ebda873738c0085d326db3fb580585_JaffaCakes118.execatchsketch.execatchsketch.exepid process 1440 b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe 1440 b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe 3732 b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe 3732 b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe 4568 catchsketch.exe 4568 catchsketch.exe 3952 catchsketch.exe 3952 catchsketch.exe 3952 catchsketch.exe 3952 catchsketch.exe 3952 catchsketch.exe 3952 catchsketch.exe 3952 catchsketch.exe 3952 catchsketch.exe 3952 catchsketch.exe 3952 catchsketch.exe 3952 catchsketch.exe 3952 catchsketch.exe 3952 catchsketch.exe 3952 catchsketch.exe -
Suspicious behavior: LoadsDriver 18 IoCs
Processes:
pid 4 4 4 4 4 656 4 4 4 4 4 4 4 4 4 4 4 4 -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
b9ebda873738c0085d326db3fb580585_JaffaCakes118.exepid process 3732 b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b9ebda873738c0085d326db3fb580585_JaffaCakes118.execatchsketch.exedescription pid process target process PID 1440 wrote to memory of 3732 1440 b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe PID 1440 wrote to memory of 3732 1440 b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe PID 1440 wrote to memory of 3732 1440 b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe PID 4568 wrote to memory of 3952 4568 catchsketch.exe catchsketch.exe PID 4568 wrote to memory of 3952 4568 catchsketch.exe catchsketch.exe PID 4568 wrote to memory of 3952 4568 catchsketch.exe catchsketch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b9ebda873738c0085d326db3fb580585_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:3732
-
C:\Windows\SysWOW64\catchsketch.exe"C:\Windows\SysWOW64\catchsketch.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\catchsketch.exe"C:\Windows\SysWOW64\catchsketch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3952