Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01/07/2024, 18:44
Static task
static1
Behavioral task
behavioral1
Sample
1c190d68622881257df63c3994fd6ac9_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1c190d68622881257df63c3994fd6ac9_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
1c190d68622881257df63c3994fd6ac9_JaffaCakes118.exe
-
Size
166KB
-
MD5
1c190d68622881257df63c3994fd6ac9
-
SHA1
d2e010e703055e259d8c0fc69073bdd7a40e56ea
-
SHA256
d6ee879555b422e175e0a6149b3ac542c5784f278da298e9de08ed3f8b85794e
-
SHA512
c6172693231b440d6782eb12a9ab85951d18c52f7003e9b33e1877af45bde278eafdd275898c898be3616e3a0cbea4f89eebc97f6deb28bdfd1f0978d9cae104
-
SSDEEP
3072:vzXbecErQwV58yfLBH+Js448R76j5aZIffFynk9LrsGXcoWk7PunmJOL3Oo:vzycErQw4yfLBeJGFaZIFak9LrXXcG7G
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2420 hg.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\hg.exe 1c190d68622881257df63c3994fd6ac9_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2804 2420 WerFault.exe 28 -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2020 1c190d68622881257df63c3994fd6ac9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2420 2020 1c190d68622881257df63c3994fd6ac9_JaffaCakes118.exe 28 PID 2020 wrote to memory of 2420 2020 1c190d68622881257df63c3994fd6ac9_JaffaCakes118.exe 28 PID 2020 wrote to memory of 2420 2020 1c190d68622881257df63c3994fd6ac9_JaffaCakes118.exe 28 PID 2020 wrote to memory of 2420 2020 1c190d68622881257df63c3994fd6ac9_JaffaCakes118.exe 28 PID 2420 wrote to memory of 2804 2420 hg.exe 29 PID 2420 wrote to memory of 2804 2420 hg.exe 29 PID 2420 wrote to memory of 2804 2420 hg.exe 29 PID 2420 wrote to memory of 2804 2420 hg.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c190d68622881257df63c3994fd6ac9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1c190d68622881257df63c3994fd6ac9_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\hg.exe"C:\Windows\hg.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 363⤵
- Program crash
PID:2804
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146KB
MD53569bdca1ed02e225511fc2164bd7bf2
SHA14f38447c6161f773ccad70426d2ce4a5869f3349
SHA256bd0138c1e39aabc1a0c9c894d063006518f7d2d6328850bda7cb44dc2ea40630
SHA5125fc61d3ad9b5eb3a3d1633be83c8f09c0627c5e502de1adf615415518750b2371b9a506c2a24a7c61aeae1b36444ea01800f8009aba8b5f497178be4b7512b64