Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 03:21
Static task
static1
Behavioral task
behavioral1
Sample
108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe
-
Size
240KB
-
MD5
108e9934b04e62f29361fa23c57023a2
-
SHA1
63b3ec1d09687a1051403e92f0f146e06e8eb7d5
-
SHA256
8e7e171f1f84d83de0e174bca33baf72289a7d90645d2079c26238e0dbbf18f7
-
SHA512
521be4c56a2a0fbde1cc87796bf267f9638fd2f7ef33caad482d1ae1a7a458f9c57e10ed7fe3632f18439c613701376da28fa2e27296107cdc7d0d96256461f9
-
SSDEEP
6144:lhKKXGaHs5jiGVKkblgCEjocdK4kU5qhxdo:lhq8slTVKslgUqK41wDdo
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x0008000000015cbf-22.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 1996 108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe -
Loads dropped DLL 10 IoCs
pid Process 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 2084 WerFault.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\king_mg = "C:\\Windows\\system32\\mgking.exe" 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mgking.exe 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe File created C:\Windows\SysWOW64\mgking.exe 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mgking0.dll 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe File created C:\Windows\SysWOW64\mgking0.dll 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2084 1996 WerFault.exe 28 -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1932 wrote to memory of 1996 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 28 PID 1932 wrote to memory of 1996 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 28 PID 1932 wrote to memory of 1996 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 28 PID 1932 wrote to memory of 1996 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 28 PID 1996 wrote to memory of 2084 1996 108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe 29 PID 1996 wrote to memory of 2084 1996 108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe 29 PID 1996 wrote to memory of 2084 1996 108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe 29 PID 1996 wrote to memory of 2084 1996 108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe 29 PID 1932 wrote to memory of 1064 1932 108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe 18
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exeC:\Users\Admin\AppData\Local\Temp\108e9934b04e62f29361fa23c57023a2_JaffaCakes118mgr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1004⤵
- Loads dropped DLL
- Program crash
PID:2084
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD594f2f6ffbba8e7644668b51b39983916
SHA163357bbdf90101969117983dbc0d4ed0e713c4d7
SHA256ede7603855cb37082c241c720a6650988c684eb3bcb263e5dd7b457458940fed
SHA512d04430ceac70c6fa71d07d9ee82ac2bb5e6c0641d5c9e7e5a3ed39d342e8b198f367676516a55f0653e0b88635a027b9ad220e223145b8be8df281bb6faf7156
-
Filesize
114KB
MD521c8f7083a59c407226363950804c4f8
SHA18a6b1d0942afa365ab4b7cd0e82c13bd9cae2524
SHA256015fc0b2cdaf8c7f2fd3b0ee1a0e03e1c4589ef21c1781a60a8ce90a8e16bde5
SHA512eb7253e85f77cc45c02bfbab25cd0324cc4b59d484bf8807561f69edfc69713330299308aace3ba3671b34bc9c852d42344d5f5c64181184f2f71bd7ced782f8