Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 10:41
Behavioral task
behavioral1
Sample
11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe
-
Size
968KB
-
MD5
11b8dec4860e18494fd077f5e1e1ea96
-
SHA1
ff9969b96603261b6299f49db86fbd5e0e94b072
-
SHA256
189e0ced0a024d3af5ffef40132db7d09b1488d912b69cfaae10f6f7f93b1d57
-
SHA512
31cee2dee7dc14885e8c6bd0560f9c6636d850cb5bfed0e2fec1e73a7f264dd2a45c14deecf0bb88b11eb384f5382e52ae36bc9242f03ab16770f68a9befce7b
-
SSDEEP
24576:OOeFa7ebKiOQsKFLEstyU012EAyO1mjn7PidHhcBB:OFYTQsNstydAyO12O3c
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1704-0-0x0000000000400000-0x0000000000650000-memory.dmp vmprotect -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main 11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1704 11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe 1704 11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe 1704 11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe 1704 11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2588 1704 11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe 28 PID 1704 wrote to memory of 2588 1704 11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe 28 PID 1704 wrote to memory of 2588 1704 11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe 28 PID 1704 wrote to memory of 2588 1704 11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe 28 PID 2588 wrote to memory of 2668 2588 cmd.exe 30 PID 2588 wrote to memory of 2668 2588 cmd.exe 30 PID 2588 wrote to memory of 2668 2588 cmd.exe 30 PID 2588 wrote to memory of 2668 2588 cmd.exe 30 PID 2588 wrote to memory of 2956 2588 cmd.exe 31 PID 2588 wrote to memory of 2956 2588 cmd.exe 31 PID 2588 wrote to memory of 2956 2588 cmd.exe 31 PID 2588 wrote to memory of 2956 2588 cmd.exe 31 PID 2588 wrote to memory of 2612 2588 cmd.exe 32 PID 2588 wrote to memory of 2612 2588 cmd.exe 32 PID 2588 wrote to memory of 2612 2588 cmd.exe 32 PID 2588 wrote to memory of 2612 2588 cmd.exe 32 PID 2588 wrote to memory of 2096 2588 cmd.exe 33 PID 2588 wrote to memory of 2096 2588 cmd.exe 33 PID 2588 wrote to memory of 2096 2588 cmd.exe 33 PID 2588 wrote to memory of 2096 2588 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\cmd.execmd /c C:\IELOCK.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\at.exeat /delete /y3⤵PID:2668
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c time /t3⤵PID:2956
-
-
C:\Windows\SysWOW64\at.exeat 10:41 /interactive /every:m,t,w,th,f,s,su "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.shenlan520.cn3⤵PID:2612
-
-
C:\Windows\SysWOW64\at.exeat 11:41 /interactive /every:m,t,w,th,f,s,su "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.92qyw.com3⤵PID:2096
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5eab895f7de20b92da0412f006069f3bd
SHA175ff405267f375d77bd469953149e9023ba30e95
SHA25658a44568dec6833d28f88ce9c9dd00a4d10d7f4ed0eb00f0812fabdfe7bb266a
SHA512857523dc9bf6fabbfcb302572eb1013b223c24e38c0ad1e9cf1915c7744334fa30ea7af8c58d04039d824ee7e277a9d209b7e55a3b787221ae2523ec30474d03