Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 21:15
Behavioral task
behavioral1
Sample
320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe
-
Size
230KB
-
MD5
320075e33fac99eaee9d572c189d07e8
-
SHA1
6b2ca9960ebedbe7e369f0f9f2429e5a320586c9
-
SHA256
f45c0c31e5b2fe74a42738056ce29f433faa06af893b3838dee1c3c890d43bfc
-
SHA512
c5a7e4b85b60a56be9f0b54dae2e3e5363ee732a61c4f8af03041ab21b8b8dbf0d60c2ba18727f8c8f12b691fe6ace6b994e617cd29993437b544da6c0007ec3
-
SSDEEP
6144:XpJ8yUj4nWUNUkpprAMoCzghZu3pNHmYe3DmJztw9/o:XVWUNUIAMoQeu3pNzoDmJztq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1616 Snajia.exe -
resource yara_rule behavioral1/memory/1928-0-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1928-7-0x0000000001F20000-0x0000000001F5B000-memory.dmp upx behavioral1/memory/1616-10-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x0007000000016d18-9.dat upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\KCSCPW1HKH = "C:\\Windows\\Snajia.exe" Snajia.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe File created C:\Windows\Snajia.exe 320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe File opened for modification C:\Windows\Snajia.exe 320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\International Snajia.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main Snajia.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe 1616 Snajia.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1928 wrote to memory of 1616 1928 320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe 30 PID 1928 wrote to memory of 1616 1928 320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe 30 PID 1928 wrote to memory of 1616 1928 320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe 30 PID 1928 wrote to memory of 1616 1928 320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\320075e33fac99eaee9d572c189d07e8_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\Snajia.exeC:\Windows\Snajia.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:1616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230KB
MD5320075e33fac99eaee9d572c189d07e8
SHA16b2ca9960ebedbe7e369f0f9f2429e5a320586c9
SHA256f45c0c31e5b2fe74a42738056ce29f433faa06af893b3838dee1c3c890d43bfc
SHA512c5a7e4b85b60a56be9f0b54dae2e3e5363ee732a61c4f8af03041ab21b8b8dbf0d60c2ba18727f8c8f12b691fe6ace6b994e617cd29993437b544da6c0007ec3
-
Filesize
372B
MD5151bbf843dc9ebec76eac04f2f00106f
SHA118b4cb6a8be183c519962bc596e1909e406469ce
SHA256dde430a6624bfbc08bfc29339860bac1548880895a444b07191a154ac31a2413
SHA5120372b1e2a0208409bddfd8ef04be3984133710ea133b41add9c9449c735c0c0bedb5b30167b35e51353e9d235cdddb43718d5fb024c36b1d89ee63efca305d28