Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
19/06/2024, 23:48
Static task
static1
Behavioral task
behavioral1
Sample
014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe
-
Size
18.0MB
-
MD5
014267c35a941fe3f50b67f7cd44edb6
-
SHA1
04e94bbee3d2fee9ec4daa1971a71a210c5b58fe
-
SHA256
2edb727db62b8614c818795e7e4fe6172bc8cfd0461aa2c5c3f4c92700807cb7
-
SHA512
46aabe69f95774ee084bf770528c13f84597533dd4a03b4b3a2122e5566ade539a213b6e153199d2181ac76c2b8a55cb055799c5deed028ed796bbcea8cfab83
-
SSDEEP
393216:aeEtzp1bpgQp2DngoAB9eD0ldEM3WzM5TidGE/6m2QoCOJ25:aeEt11CQpyPAbXHj3WA5OdGE/6VQoCwy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2656 LimUpdate.exe -
Loads dropped DLL 6 IoCs
pid Process 2080 014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe 2080 014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe 2080 014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe 2656 LimUpdate.exe 2656 LimUpdate.exe 2656 LimUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2656 2080 014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe 28 PID 2080 wrote to memory of 2656 2080 014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe 28 PID 2080 wrote to memory of 2656 2080 014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe 28 PID 2080 wrote to memory of 2656 2080 014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe 28 PID 2080 wrote to memory of 2656 2080 014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe 28 PID 2080 wrote to memory of 2656 2080 014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe 28 PID 2080 wrote to memory of 2656 2080 014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe 28 PID 2656 wrote to memory of 2616 2656 LimUpdate.exe 30 PID 2656 wrote to memory of 2616 2656 LimUpdate.exe 30 PID 2656 wrote to memory of 2616 2656 LimUpdate.exe 30 PID 2656 wrote to memory of 2616 2656 LimUpdate.exe 30 PID 2656 wrote to memory of 2616 2656 LimUpdate.exe 30 PID 2656 wrote to memory of 2616 2656 LimUpdate.exe 30 PID 2656 wrote to memory of 2616 2656 LimUpdate.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\014267c35a941fe3f50b67f7cd44edb6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\limpopograss\temp\LimUpdate.exe"C:\limpopograss\temp\LimUpdate.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1FD0.tmp\LimUpdate.bat""3⤵PID:2616
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b4ef42402828909c0818a117e9511bfe
SHA141cbdd671b701f85f75e6ac0a862e20102617489
SHA25668f5149616ed2f648139cd104f5b3ceddf5be6774496141c9b67a9eadf81ef6b
SHA51299c3efdfdbbe0a915a657a3cfb1d130be5f9cae82358b087d41b00bdca73f5090ccd66e631d3ad4bd145c316e7ee9919ee7b8fbf80c35d30f6093c966b33289d
-
Filesize
14KB
MD52e6038c0ec51bf9624ef0fcfa0099dae
SHA1aafbb5d3c72947476f87b77db02422982e9f5265
SHA2561b9bcd405fc22ef5bcc0bb965403e629016f992320585be8b77766a025825ae5
SHA512d00335845035db2fca9d4d179dffc069152cab9dc5a1104e71aad06883d486c55c2748e6985960ec73207159f97001b6635926a499d1a58e1ff871b1b56ded9d
-
Filesize
25KB
MD5a20d9350f0eddf5ccdbc3cc408f96d9b
SHA12a05c8c9398885c947b5c4dd0dbe2fe5b1fccf5a
SHA2564c055e4fa5c324cd35cc180adbbf33b4ccbdaf106250a25a7244099c9822ca7c
SHA512d989d3cac2932e272dd948010e5db90c1887e6da5ba859a741b9f65c8da5f351fac2aae7e995f1049beec3a687a7649c6f4a1796f54219543b2d32413fda7233