Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12-07-2024 15:48
Static task
static1
Behavioral task
behavioral1
Sample
3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe
-
Size
906KB
-
MD5
3dfdc72a69e464e2fe5a9dc15d0f872c
-
SHA1
9cdb47a1b52762d9a94be067d0542c1e1fb7ee91
-
SHA256
d9d91e187b55cc521e8d3c79ac49d8bdd771a5626c2d39a7d788c97234248a19
-
SHA512
d7567c0a206fdbc0776632b7d675ad9079a75160296848b20de04f39ff472129603f818129b48a3e76e7bd57a141dfec215eb77bba530102e1c247f75f003f4f
-
SSDEEP
12288:23RDRcAqZi970Oz6hGEM7CT3GddRdiKityWfxdXbeASgn16Nf5/ltloLtt1eWYLK:3Z3sS2Pi7X3d6f59G
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exepid process 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exedescription pid process target process PID 2392 wrote to memory of 2624 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe schtasks.exe PID 2392 wrote to memory of 2624 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe schtasks.exe PID 2392 wrote to memory of 2624 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe schtasks.exe PID 2392 wrote to memory of 2624 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe schtasks.exe PID 2392 wrote to memory of 2812 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2812 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2812 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2812 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2768 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2768 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2768 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2768 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2652 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2652 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2652 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2652 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2428 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2428 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2428 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2428 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2596 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2596 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2596 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe PID 2392 wrote to memory of 2596 2392 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe 3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZvKfYNN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA6DA.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe"2⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe"2⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe"2⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe"2⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3dfdc72a69e464e2fe5a9dc15d0f872c_JaffaCakes118.exe"2⤵PID:2596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5eb98c603e1314ba20a143541452eb418
SHA1f424107ac18b69936ba1fa94488d52889f3071c0
SHA25607453a841d9a0b8f3d0c081fdf0f37ed9f305dc0183f24a8eea0bd4297000219
SHA512f91623e6311e8d6f528a6e2e25e8ae82547f7d9c769b4ab009014609c74097f01283d919655d12d9ee05690b88052944a2dc3d46361063c1955bff44bf1dddd0