Analysis
-
max time kernel
11s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 21:08
Static task
static1
Behavioral task
behavioral1
Sample
3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe
-
Size
368KB
-
MD5
3663d070e7154882c771c19fd86fa986
-
SHA1
0a87fdf0844fcb35d20b5fd70aa7340a2b2e82c2
-
SHA256
14cf1f8ecef475147f17fb50fcb448f7ffb510b9bc7cc6fb3e0a24133370c220
-
SHA512
d4a80fbea1aad5c75b89130f48a702d8845a9c5719137d77344ae63fa9da7d02c032f973b85f6e811a079970e4dc65334a1b4bcf02fe75bd0c7eb6ceb235c91a
-
SSDEEP
6144:8gL92UU48OOlg/gwpewysMzEYUM9Kwn832M6w6j0m:3LxU5O/gWysMIYlK4AlOj0m
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
3663d070e7154882c771c19fd86fa986_JaffaCakes118.exedescription pid process target process PID 2584 set thread context of 2556 2584 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
Processes:
3663d070e7154882c771c19fd86fa986_JaffaCakes118.exedescription ioc process File created C:\Program Files\Internet Explorer\Niko\IEXPLORE.EXE 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe3663d070e7154882c771c19fd86fa986_JaffaCakes118.execmd.exedescription pid process target process PID 2584 wrote to memory of 2556 2584 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe PID 2584 wrote to memory of 2556 2584 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe PID 2584 wrote to memory of 2556 2584 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe PID 2584 wrote to memory of 2556 2584 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe PID 2584 wrote to memory of 2556 2584 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe PID 2584 wrote to memory of 2556 2584 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe PID 2584 wrote to memory of 2556 2584 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe PID 2584 wrote to memory of 2556 2584 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe PID 2584 wrote to memory of 2556 2584 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe PID 2556 wrote to memory of 2864 2556 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe cmd.exe PID 2556 wrote to memory of 2864 2556 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe cmd.exe PID 2556 wrote to memory of 2864 2556 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe cmd.exe PID 2556 wrote to memory of 2864 2556 3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe cmd.exe PID 2864 wrote to memory of 2736 2864 cmd.exe reg.exe PID 2864 wrote to memory of 2736 2864 cmd.exe reg.exe PID 2864 wrote to memory of 2736 2864 cmd.exe reg.exe PID 2864 wrote to memory of 2736 2864 cmd.exe reg.exe PID 2864 wrote to memory of 2440 2864 cmd.exe gpupdate.exe PID 2864 wrote to memory of 2440 2864 cmd.exe gpupdate.exe PID 2864 wrote to memory of 2440 2864 cmd.exe gpupdate.exe PID 2864 wrote to memory of 2440 2864 cmd.exe gpupdate.exe PID 2864 wrote to memory of 2440 2864 cmd.exe gpupdate.exe PID 2864 wrote to memory of 2440 2864 cmd.exe gpupdate.exe PID 2864 wrote to memory of 2440 2864 cmd.exe gpupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3663d070e7154882c771c19fd86fa986_JaffaCakes118.exe"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Start.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .exe /f4⤵
- Modifies registry key
PID:2736 -
C:\Windows\SysWOW64\gpupdate.exegpupdate /force4⤵PID:2440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200B
MD59cedeb0b293d2b5491225ef3d9eb2a8b
SHA1b607ef9bd319b6ec696c8dab8a314998d133298b
SHA2563fc59706783a0778da9121da52a63e34e47c82f436d5b14943e14fb418fd4f08
SHA512ec7d4544e32b1ea460895b1037a9eca2529eed45d6ee1644f83dfc4d4ad8f7c32a811ee4627bc6b243fb5d5c9e3e2b22060d6a2903692830ff1f114d2b9f3cfc