Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12/07/2024, 09:40
Static task
static1
Behavioral task
behavioral1
Sample
3cdb9341aa432be8caea5c60fe862640_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3cdb9341aa432be8caea5c60fe862640_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3cdb9341aa432be8caea5c60fe862640_JaffaCakes118.exe
-
Size
36KB
-
MD5
3cdb9341aa432be8caea5c60fe862640
-
SHA1
827e9c551db01916bcae1ca39c8229ebf219d878
-
SHA256
0ee03c7c074d5989cb758ad1ac24cc3205e02ac8a1b056febf47a682a3360240
-
SHA512
a1d824a3001cc51c61e9bf7018d8c165c796f79a0702608bfae57f9b412b25c530bbff5583da06693639697a68cdf6083818a46a5c9f2281d3f74ae7cf5e9b59
-
SSDEEP
384:/Tg7/UnJ/+n/EkXVfczd9PcBJ4rv2DeI:/C/2Gn3EzXPIJ4T2De
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 560 server.exe -
Loads dropped DLL 4 IoCs
pid Process 2216 3cdb9341aa432be8caea5c60fe862640_JaffaCakes118.exe 2216 3cdb9341aa432be8caea5c60fe862640_JaffaCakes118.exe 2216 3cdb9341aa432be8caea5c60fe862640_JaffaCakes118.exe 2216 3cdb9341aa432be8caea5c60fe862640_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\server.exe server.exe File opened for modification C:\Windows\SysWOW64\server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2216 3cdb9341aa432be8caea5c60fe862640_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2216 wrote to memory of 560 2216 3cdb9341aa432be8caea5c60fe862640_JaffaCakes118.exe 31 PID 2216 wrote to memory of 560 2216 3cdb9341aa432be8caea5c60fe862640_JaffaCakes118.exe 31 PID 2216 wrote to memory of 560 2216 3cdb9341aa432be8caea5c60fe862640_JaffaCakes118.exe 31 PID 2216 wrote to memory of 560 2216 3cdb9341aa432be8caea5c60fe862640_JaffaCakes118.exe 31 PID 560 wrote to memory of 2600 560 server.exe 32 PID 560 wrote to memory of 2600 560 server.exe 32 PID 560 wrote to memory of 2600 560 server.exe 32 PID 560 wrote to memory of 2600 560 server.exe 32 PID 560 wrote to memory of 2600 560 server.exe 32 PID 560 wrote to memory of 2600 560 server.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cdb9341aa432be8caea5c60fe862640_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3cdb9341aa432be8caea5c60fe862640_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" %13⤵PID:2600
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5bf9fac00298dd8ec4c370cc1a48485f8
SHA1d8a34eab9444e396ab36bf6ff19115834564b024
SHA2566985c241f042fddcc46f704e2f362886c78ec4f0ba62d26ed1d92c7fb24ca679
SHA5128d9ba754dd7b72177389ac9f56505c46af4467e006d9c49e93e5c40d5eca4786248145fe9c27c8646fb96ac79d7728379bc2bc119867f9fb014b264c540f7526