Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 21:13
Static task
static1
Behavioral task
behavioral1
Sample
366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
366774662ccbe5b67de997b980c250f8
-
SHA1
7602d334fe709c484d07011334a08801c70b4015
-
SHA256
c2a4cd5a5e655f16ead7aebff8ada0a1e67cff54d4a1be1d07816cbf3aba5563
-
SHA512
6b2098208a6af2bdced31a7a143d753b3f31b65cace33e3533da2b1ea1c06197d22a697934d62329fa5b12eeb876979198305f70ce46d7d57fcc429962d87208
-
SSDEEP
49152:hPmzRUWcCvItro4EfcOPzePmzRUWcCvItro4Efc1PzqPN:hPmzRT14szePmzRT14VzqPN
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
Processes:
thuder.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exepid process 1436 thuder.exe 2692 thuder.exe 1252 thuder.exe 2928 thuder.exe 2424 thuder.exe 660 thuder.exe 1980 thuder.exe 840 thuder.exe 1216 thuder.exe -
Loads dropped DLL 2 IoCs
Processes:
366774662ccbe5b67de997b980c250f8_JaffaCakes118.exepid process 1656 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe 1656 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe -
Drops file in Program Files directory 12 IoCs
Processes:
thuder.exethuder.exethuder.exe366774662ccbe5b67de997b980c250f8_JaffaCakes118.exethuder.exethuder.exethuder.exethuder.exethuder.exedescription ioc process File created C:\Program Files\IIJFYP\ipc thuder.exe File created C:\Program Files\IIJFYP\ipc thuder.exe File created C:\Program Files\IIJFYP\ipc thuder.exe File created C:\Program Files\IIJFYP\thuder.exe 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe File created C:\Program Files\IIJFYP\thuder0.txt thuder.exe File created C:\Program Files\IIJFYP\ipc thuder.exe File created C:\Program Files\IIJFYP\ipc thuder.exe File created C:\Program Files\IIJFYP\ipc thuder.exe File created C:\Program Files\IIJFYP\thuder.chm 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe File created C:\Program Files\IIJFYP\366774662ccbe5b67de997b980c250f8_JaffaCakes118.txt 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe File created C:\Program Files\IIJFYP\ipc thuder.exe File created C:\Program Files\IIJFYP\ipc thuder.exe -
Drops file in Windows directory 1 IoCs
Processes:
366774662ccbe5b67de997b980c250f8_JaffaCakes118.exedescription ioc process File created \??\c:\windows\win32.btl 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
366774662ccbe5b67de997b980c250f8_JaffaCakes118.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exethuder.exedescription pid process target process PID 1656 wrote to memory of 2728 1656 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe NOTEPAD.EXE PID 1656 wrote to memory of 2728 1656 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe NOTEPAD.EXE PID 1656 wrote to memory of 2728 1656 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe NOTEPAD.EXE PID 1656 wrote to memory of 2728 1656 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe NOTEPAD.EXE PID 1656 wrote to memory of 1436 1656 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe thuder.exe PID 1656 wrote to memory of 1436 1656 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe thuder.exe PID 1656 wrote to memory of 1436 1656 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe thuder.exe PID 1656 wrote to memory of 1436 1656 366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe thuder.exe PID 1436 wrote to memory of 2692 1436 thuder.exe thuder.exe PID 1436 wrote to memory of 2692 1436 thuder.exe thuder.exe PID 1436 wrote to memory of 2692 1436 thuder.exe thuder.exe PID 1436 wrote to memory of 2692 1436 thuder.exe thuder.exe PID 2692 wrote to memory of 1252 2692 thuder.exe thuder.exe PID 2692 wrote to memory of 1252 2692 thuder.exe thuder.exe PID 2692 wrote to memory of 1252 2692 thuder.exe thuder.exe PID 2692 wrote to memory of 1252 2692 thuder.exe thuder.exe PID 1252 wrote to memory of 2928 1252 thuder.exe thuder.exe PID 1252 wrote to memory of 2928 1252 thuder.exe thuder.exe PID 1252 wrote to memory of 2928 1252 thuder.exe thuder.exe PID 1252 wrote to memory of 2928 1252 thuder.exe thuder.exe PID 2928 wrote to memory of 2424 2928 thuder.exe thuder.exe PID 2928 wrote to memory of 2424 2928 thuder.exe thuder.exe PID 2928 wrote to memory of 2424 2928 thuder.exe thuder.exe PID 2928 wrote to memory of 2424 2928 thuder.exe thuder.exe PID 2424 wrote to memory of 660 2424 thuder.exe thuder.exe PID 2424 wrote to memory of 660 2424 thuder.exe thuder.exe PID 2424 wrote to memory of 660 2424 thuder.exe thuder.exe PID 2424 wrote to memory of 660 2424 thuder.exe thuder.exe PID 660 wrote to memory of 1980 660 thuder.exe thuder.exe PID 660 wrote to memory of 1980 660 thuder.exe thuder.exe PID 660 wrote to memory of 1980 660 thuder.exe thuder.exe PID 660 wrote to memory of 1980 660 thuder.exe thuder.exe PID 1980 wrote to memory of 840 1980 thuder.exe thuder.exe PID 1980 wrote to memory of 840 1980 thuder.exe thuder.exe PID 1980 wrote to memory of 840 1980 thuder.exe thuder.exe PID 1980 wrote to memory of 840 1980 thuder.exe thuder.exe PID 840 wrote to memory of 1216 840 thuder.exe thuder.exe PID 840 wrote to memory of 1216 840 thuder.exe thuder.exe PID 840 wrote to memory of 1216 840 thuder.exe thuder.exe PID 840 wrote to memory of 1216 840 thuder.exe thuder.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\366774662ccbe5b67de997b980c250f8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\IIJFYP\366774662ccbe5b67de997b980c250f8_JaffaCakes118.txt2⤵PID:2728
-
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe" 123453⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe" 123454⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe" 123455⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe" 123456⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe" 123457⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe" 123458⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe" 123459⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Program Files\IIJFYP\thuder.exe"C:\Program Files\IIJFYP\thuder.exe" 1234510⤵
- Executes dropped EXE
PID:1216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5c96c8be3ef0884f3237c3e054ad7de0a
SHA12cc4f836ceaf5d2d7d70381f8fdb636a09c0ba6b
SHA25627f45d03e0334b665ae03dc1d6fa3220e3ec35f64cb93b5f0589bb5c0f40896d
SHA512a909dfab5146bd08c67ded7a83f00c7db26945fa3203cb35c2041f8c857a75c30533e9f4a4cda6ea14629c36d6c8f404c4c5eb19cd4a863f79544c92ed944601
-
Filesize
133B
MD5314417833b0d327beccab7cb68cd4f7c
SHA1f6bed9edc9ed8e9ff928194670f5ec3eda2763e3
SHA25637ed866abc19465aa2172d651bbd3ffe2836add54ba3065ff7189f1a75410d9f
SHA512c8645c0528d9b7309b2d6870f8250384654db64fc605667aabdc26d8429a1d03d3306a3082b22afff395d2e1669317dee96f9c6dd839ca440283cb2fe1a223ff
-
Filesize
44B
MD53d318935b134cd593c7f1bffcd33cf7c
SHA1b17f1aa31f21549301522c91ce62aa3ef5dcfbfe
SHA25630e72fa5bf5971466907df1b86b42fb95f718b3e8e2995c084ac9921462f594a
SHA512c1da00c13f2928bd434189f0b28b3c28190561113f20375259a16e06376ed5b464e316e1cc040ac04a841c84d198e66aeeea9d44dfa945faf542103a96e2bfb9
-
Filesize
10B
MD574e6cd7307b1a960f888f0ff71c48e26
SHA13ed8d02a5c138a52e7a5b3128cfa974282205f48
SHA25645bdbeca33ce754e4974e7fb95fc485c2f2cfa4bdf16d310a5173df7d130fb68
SHA512f331c834224f72ca78b2a553be4b1e9cc2de5f2821189c0e8c0372327502d4e695d52493fb1a24dbd736ab54935c3ca88cf6fea06fef3d4fbd114e7d54edba6a
-
Filesize
5.8MB
MD56ad3e54ceed6af6a3174110407161399
SHA12f4171b590a530336895974ea27d0f5153b63a5e
SHA256d2327a72cfcb3a42825de42328628c947ae960330a1791a6ac3739fee1226747
SHA5121575e3dfee0eef44c173998711ecd8d0195fb8a82d46eb7620a65e8a6c6adce4e1e31d217bcd038a0a966350ceff9fcf05325b781c8859d9e61ff929b7cf5999