Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 23:52
Static task
static1
Behavioral task
behavioral1
Sample
36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe
-
Size
794KB
-
MD5
36e75bcdd349e9aac5f525644a31f1d3
-
SHA1
b8f360578b1efe23437f38b46734b354eb2d11d6
-
SHA256
4d46e581b79b26dada9734336c957bd6e6ad3e216db81b3d513beb8589294e7d
-
SHA512
a325dc4e399d3b24522a0a2750e763d846c5a4260b45e93921a9912a0964276e9c779a5388356fed5201c4db8dc91ad09a1312419370d323d47b342019c5ded9
-
SSDEEP
12288:cGehnWS1CJ0bhX0iItc6c/9Z23iLH22qQ3QZlg0:cxEGC4ps8FZ23ucQ3QE0
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2192 CRYPTED.EXE 2800 Y!BEEP.EXE 2836 CRYPTED.exe -
Loads dropped DLL 10 IoCs
pid Process 2428 36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe 2428 36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe 2428 36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe 2428 36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe 2192 CRYPTED.EXE 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe 2884 WerFault.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\CRYPTED.EXE 36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe File created C:\Windows\SysWOW64\Y!BEEP.EXE 36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\CRYPTED.exe CRYPTED.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2192 set thread context of 2836 2192 CRYPTED.EXE 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2884 2836 WerFault.exe 33 -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2192 CRYPTED.EXE 2800 Y!BEEP.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2428 wrote to memory of 2192 2428 36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe 31 PID 2428 wrote to memory of 2192 2428 36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe 31 PID 2428 wrote to memory of 2192 2428 36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe 31 PID 2428 wrote to memory of 2192 2428 36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe 31 PID 2428 wrote to memory of 2800 2428 36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe 32 PID 2428 wrote to memory of 2800 2428 36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe 32 PID 2428 wrote to memory of 2800 2428 36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe 32 PID 2428 wrote to memory of 2800 2428 36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe 32 PID 2192 wrote to memory of 2836 2192 CRYPTED.EXE 33 PID 2192 wrote to memory of 2836 2192 CRYPTED.EXE 33 PID 2192 wrote to memory of 2836 2192 CRYPTED.EXE 33 PID 2192 wrote to memory of 2836 2192 CRYPTED.EXE 33 PID 2192 wrote to memory of 2836 2192 CRYPTED.EXE 33 PID 2192 wrote to memory of 2836 2192 CRYPTED.EXE 33 PID 2192 wrote to memory of 2836 2192 CRYPTED.EXE 33 PID 2192 wrote to memory of 2836 2192 CRYPTED.EXE 33 PID 2192 wrote to memory of 2836 2192 CRYPTED.EXE 33 PID 2192 wrote to memory of 2836 2192 CRYPTED.EXE 33 PID 2192 wrote to memory of 2836 2192 CRYPTED.EXE 33 PID 2836 wrote to memory of 2884 2836 CRYPTED.exe 34 PID 2836 wrote to memory of 2884 2836 CRYPTED.exe 34 PID 2836 wrote to memory of 2884 2836 CRYPTED.exe 34 PID 2836 wrote to memory of 2884 2836 CRYPTED.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\36e75bcdd349e9aac5f525644a31f1d3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\CRYPTED.EXE"C:\Windows\system32\CRYPTED.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\CRYPTED.exe
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 364⤵
- Loads dropped DLL
- Program crash
PID:2884
-
-
-
-
C:\Windows\SysWOW64\Y!BEEP.EXE"C:\Windows\system32\Y!BEEP.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155KB
MD5849e5da7bbe21eae56d87e387c7541e9
SHA1ae8fab54d2fc19a7716465cbfc90806a26e66e8e
SHA256598ee7b1d6d4ffaba6ef3df8d9c47b812667fcdb47feb5a0e877d68ff2109d84
SHA5127625c35a24e6d3bfde3f6ab04136feccc6adc241e4254e47ff6bbf63a46d03e100a8868d2c3b8b562e8e5b958bcf88846eefe95b484a4d14eab9c3126422876d
-
Filesize
280KB
MD57b90ce2a72663280e6f25dd5b3ac0462
SHA1f05f170d68f248ee0add768dd6b93d03b20892cd
SHA2569de6f625705a523609ac020ff9848805065d81eda5445f9880e60dd4126bfc44
SHA512b7aba0a1072c800206f7d5a769cdd28f893f63be1f67815b2fc13a5aaa459e9a48828004d7c4470bb000cda2185c8466911dda1d55066d27193f99baab7f13b9