Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 04:59
Static task
static1
Behavioral task
behavioral1
Sample
24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe
-
Size
371KB
-
MD5
24b56317bb0c9e124263e7a6968d8df6
-
SHA1
eaebdbf6d7ea277d3dc419e1f6eba2d606748505
-
SHA256
6987f83bea3a8767c163dbe51ff09621c8b18355b1223a5d9b4b852340c95587
-
SHA512
58b76eea6c55a7839e55c7c794eea7377d229a3901362d5972300122135fed976b458b6bd999760ac507e44367869a35e079c9c669821977cf26c8691dcfbf80
-
SSDEEP
6144:HjbeidwPmGD9KXiznRLaDUUvOlCpCpsJQzANpiq26aeZ2x12IHBmu32xSO7Z:HuuUmeLRLaB/pdJQzA3ir69ZW2IQ7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1112 server.exe -
Loads dropped DLL 7 IoCs
pid Process 2224 24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe 2224 24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe 3060 WerFault.exe 3060 WerFault.exe 3060 WerFault.exe 3060 WerFault.exe 3060 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3060 1112 WerFault.exe 28 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1112 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2224 wrote to memory of 1112 2224 24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe 28 PID 2224 wrote to memory of 1112 2224 24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe 28 PID 2224 wrote to memory of 1112 2224 24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe 28 PID 2224 wrote to memory of 1112 2224 24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe 28 PID 1112 wrote to memory of 3060 1112 server.exe 29 PID 1112 wrote to memory of 3060 1112 server.exe 29 PID 1112 wrote to memory of 3060 1112 server.exe 29 PID 1112 wrote to memory of 3060 1112 server.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\24b56317bb0c9e124263e7a6968d8df6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 1883⤵
- Loads dropped DLL
- Program crash
PID:3060
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5ef8199679933d079b9c0a25d5da4ada5
SHA1cd152168f0083096d0f3407cbc992fbc2c00bb1f
SHA256eebb8515f911596835d376d566a9a1fba36d05503b7a730ba6ec60b24152a105
SHA512e14e03df6895e0e445ecf6b472a4561ee3a7d94d51d0038087698d7cbb37e80187db28d0c72e12e60815cebed2474ccdd5c7a065d38e69b8ce1c467059a846d5