Analysis
-
max time kernel
91s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 02:08
Static task
static1
Behavioral task
behavioral1
Sample
00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe
-
Size
549KB
-
MD5
00cf8adbfebe8de5c9f5a6caf77bc5cb
-
SHA1
6e9723685f93d3ddd5625a726aaf5e2757c50c4d
-
SHA256
99610e6f8f7e58c8bc2f5bf10aeda421252a8b0706695caf9f152f718b634504
-
SHA512
65503e39c41a8a46b9b99198da87916356fae0630edac9b6e6b1860e9176247df659fc5bd937e2d8bd84c596f216a8d3025f36be4c1d1c1d06cfa323c0725153
-
SSDEEP
12288:7lFtWpbjQ+nPXCmHntSkhLLsWgCCKVJgbfj:ZFtg4+nvCmHntSWgCCKefj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2292 server.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\server.exe upx behavioral2/memory/2292-9-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/2292-10-0x0000000000400000-0x0000000000490000-memory.dmp upx -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2172 2292 WerFault.exe server.exe 3616 1916 WerFault.exe 00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exepid process 1916 00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exedescription pid process target process PID 1916 wrote to memory of 2292 1916 00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe server.exe PID 1916 wrote to memory of 2292 1916 00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe server.exe PID 1916 wrote to memory of 2292 1916 00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00cf8adbfebe8de5c9f5a6caf77bc5cb_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exeC:\Users\Admin\AppData\Local\Temp\\server.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 2243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 2322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2292 -ip 22921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1916 -ip 19161⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
503KB
MD5338901f55359a82fc929f3025e951d44
SHA13bf960e8bc01ccf5fd1d7a7e3fc5b54fd80b10c1
SHA256dda3b31b016c7888026e02a7e57813c27807ecfe253e24bc0f881b26396b3d40
SHA5123f5ce5a721b6edafd97c30cb45aed42999661c57ee389dec39557fdb279e289a5c3d11d4dad16efefbffd343167e673e338e4552c3a0b756e47228f8a8a3269e
-
memory/1916-0-0x00000000001D0000-0x00000000001E5000-memory.dmpFilesize
84KB
-
memory/1916-2-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/1916-13-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/2292-9-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/2292-10-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB