Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 10:41
Behavioral task
behavioral1
Sample
11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe
-
Size
968KB
-
MD5
11b8dec4860e18494fd077f5e1e1ea96
-
SHA1
ff9969b96603261b6299f49db86fbd5e0e94b072
-
SHA256
189e0ced0a024d3af5ffef40132db7d09b1488d912b69cfaae10f6f7f93b1d57
-
SHA512
31cee2dee7dc14885e8c6bd0560f9c6636d850cb5bfed0e2fec1e73a7f264dd2a45c14deecf0bb88b11eb384f5382e52ae36bc9242f03ab16770f68a9befce7b
-
SSDEEP
24576:OOeFa7ebKiOQsKFLEstyU012EAyO1mjn7PidHhcBB:OFYTQsNstydAyO12O3c
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4972-0-0x0000000000400000-0x0000000000650000-memory.dmp vmprotect -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4972 11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe 4972 11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe 4972 11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe 4972 11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4972 wrote to memory of 892 4972 11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe 89 PID 4972 wrote to memory of 892 4972 11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe 89 PID 4972 wrote to memory of 892 4972 11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe 89 PID 892 wrote to memory of 1404 892 cmd.exe 91 PID 892 wrote to memory of 1404 892 cmd.exe 91 PID 892 wrote to memory of 1404 892 cmd.exe 91 PID 892 wrote to memory of 3884 892 cmd.exe 92 PID 892 wrote to memory of 3884 892 cmd.exe 92 PID 892 wrote to memory of 3884 892 cmd.exe 92 PID 892 wrote to memory of 4544 892 cmd.exe 93 PID 892 wrote to memory of 4544 892 cmd.exe 93 PID 892 wrote to memory of 4544 892 cmd.exe 93 PID 892 wrote to memory of 4944 892 cmd.exe 94 PID 892 wrote to memory of 4944 892 cmd.exe 94 PID 892 wrote to memory of 4944 892 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\11b8dec4860e18494fd077f5e1e1ea96_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\IELOCK.bat2⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\at.exeat /delete /y3⤵PID:1404
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c time /t3⤵PID:3884
-
-
C:\Windows\SysWOW64\at.exeat 10:41 /interactive /every:m,t,w,th,f,s,su "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.shenlan520.cn3⤵PID:4544
-
-
C:\Windows\SysWOW64\at.exeat 11:41 /interactive /every:m,t,w,th,f,s,su "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.92qyw.com3⤵PID:4944
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:5088
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5eab895f7de20b92da0412f006069f3bd
SHA175ff405267f375d77bd469953149e9023ba30e95
SHA25658a44568dec6833d28f88ce9c9dd00a4d10d7f4ed0eb00f0812fabdfe7bb266a
SHA512857523dc9bf6fabbfcb302572eb1013b223c24e38c0ad1e9cf1915c7744334fa30ea7af8c58d04039d824ee7e277a9d209b7e55a3b787221ae2523ec30474d03