Analysis
-
max time kernel
147s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-07-2024 15:20
Static task
static1
Behavioral task
behavioral1
Sample
30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe
-
Size
45KB
-
MD5
30e881a3988e3f38f58698b2f9bb96c4
-
SHA1
380da287773281f36517ab501ae195fb0cb28587
-
SHA256
9e0eecfc5fefd5ecdc5cc205a1585fe30c5d9bac455c981d03b57c965e31fa9f
-
SHA512
d7b8631ea383de0f9be86ea17b13ba5c2331f7c7586c818ae42518a8124eeb39e20f7074d01eef7df289db787572efed6c5c4c638d45d51a26d6fe13dc7ecc77
-
SSDEEP
768:bclMNYiKC+qzfevpe4sQ72uKcopRaQP0xxXllllllllllllllllllllllllllll/:jR+MevpkCXx2vuyfC9dhheenh
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JMicron.lnk WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1928 30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2524 1928 30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2524 1928 30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2524 1928 30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2524 1928 30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe 30 PID 1928 wrote to memory of 2812 1928 30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe 32 PID 1928 wrote to memory of 2812 1928 30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe 32 PID 1928 wrote to memory of 2812 1928 30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe 32 PID 1928 wrote to memory of 2812 1928 30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe 32 PID 2524 wrote to memory of 2784 2524 cmd.exe 33 PID 2524 wrote to memory of 2784 2524 cmd.exe 33 PID 2524 wrote to memory of 2784 2524 cmd.exe 33 PID 2524 wrote to memory of 2784 2524 cmd.exe 33 PID 2784 wrote to memory of 2980 2784 net.exe 34 PID 2784 wrote to memory of 2980 2784 net.exe 34 PID 2784 wrote to memory of 2980 2784 net.exe 34 PID 2784 wrote to memory of 2980 2784 net.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c NET STOP wscsvc && NET STOP sharedaccess2⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\net.exeNET STOP wscsvc3⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP wscsvc4⤵PID:2980
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yqaho.vbs"2⤵
- Drops startup file
PID:2812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD562fe1bde82e07df9c86f7b8b36786ac7
SHA1c707b7957c3016e3327968dbe0933e00b9275380
SHA25659deeb2704d267712eb36a3056efdcd376f9f2fbbc5dd7b722c1dbed41ac63a3
SHA51264c209ab5a922132d50c5c3069009d046c1a38b44349a28307a3cc3c1954ed981624bf8a1c9767ec1e4632919939afce153c41b588222ae280332a54cc64ef11
-
Filesize
34KB
MD5ee42f37edc1baf81dabaf9a8c33c4b80
SHA106737e3966892c6472e2a0e97ae7f2c284397326
SHA25665d2bbd26f221b0035118dd2bebfbab7ec1430f5bed0cdfd40d663193f1d45df
SHA512cbf551a14ddf02ee6139f06135e170a08149e0b51f1a2e07bf8fd30afd74a42f6db1e9e5bfd24c35a45391bd4d232e3a684da825bcb8025c609ff213d225ef39
-
Filesize
1KB
MD5185de81473eed7a14ba176160679042e
SHA1db8127cec49b9adcf4a594d182ade05f8af88152
SHA2562926ea884d44d115048bffac5c22f9eb3dc3e99108e183f25f1abdbfe8c8b28f
SHA51247bc23d50b928044c243acdd7e9bfe62629f196fef916ba30d1c1d565518957d6cc1e125d8bcc589fccd239b23507e03fd03728934d671c8d1f9552aa8a1b3af