Analysis
-
max time kernel
133s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2024, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
214d6295a7e2caeedbda5ed49e43a525_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
214d6295a7e2caeedbda5ed49e43a525_JaffaCakes118.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
$TEMP/BetterInstaller.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$TEMP/BetterInstaller.exe
Resource
win10v2004-20240508-en
General
-
Target
214d6295a7e2caeedbda5ed49e43a525_JaffaCakes118.exe
-
Size
154KB
-
MD5
214d6295a7e2caeedbda5ed49e43a525
-
SHA1
583adcd385e797bd21cc5908c90dd3536273891b
-
SHA256
92174ba231accbdeffb5af3875088bcb76b7906507b7cdfdb4d29838b158cd75
-
SHA512
e3c2fe3228d18f2a8eab301e93be59afd938ea3b8a0642056fda0683effe845dc86ae39befe3a2684db231b4dbaaf3256c7c161e6fd7381687d8f135db7d4680
-
SSDEEP
3072:C22ihA0m3BJP0AfuGKIiVZmf474Q3VzVCcVkv1v8///SmWX8sxxOD5yi:9A0m3D0AnFyQf4MIVzVTqe33WX8oi
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3424 BetterInstaller.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3424 BetterInstaller.exe 3424 BetterInstaller.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1196 wrote to memory of 3424 1196 214d6295a7e2caeedbda5ed49e43a525_JaffaCakes118.exe 82 PID 1196 wrote to memory of 3424 1196 214d6295a7e2caeedbda5ed49e43a525_JaffaCakes118.exe 82 PID 1196 wrote to memory of 3424 1196 214d6295a7e2caeedbda5ed49e43a525_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\214d6295a7e2caeedbda5ed49e43a525_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\214d6295a7e2caeedbda5ed49e43a525_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\BetterInstaller.exe"C:\Users\Admin\AppData\Local\Temp\BetterInstaller.exe" /affid "wallpaperstocknet" /id "pinkflowerpetalsurtu" /name "Pink flower petals"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3424
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD5d79b88bab3231ebebd3c6505ab68ce56
SHA13222e8dab740ba1d640cc66a9cd36070969deb80
SHA256d4032354c8ca3b93fd18414d6a7935bcecb18f25534b2259eeaf7d3081ec13ec
SHA512b8afbd52e74d8611714a33bd80a907be8080195bd574ceb0aa8ce44520c9cf6c40ccce4a4db9be0808b8b5a6b7b0fee17ee42f9cca67d69152dd1f1d8ddd99a9
-
Filesize
112B
MD5c36d142016c82a76bd10a5fc19f86e26
SHA1a47f9bfee25c4e477198f31a29ab6d3af7e56127
SHA25664b5e035098118a6c9b3798a94230012b7483510454760ca67574933d16084df
SHA512717ca21b13d11169f2f8dbd3fc52856117f8f0f2707a102a72b9eb5b795101df64cd735780320d0aae426b9487a2abcd9df161a8858e601923e9f7f53620e996