Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/07/2024, 16:27
Behavioral task
behavioral1
Sample
469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe
-
Size
75KB
-
MD5
469c0ab22294610728f1aec8182cb4dc
-
SHA1
94619a1727fd405e0f676c2b52fbdeb780d7107f
-
SHA256
f0636d33f7193131fe9d2f3e46187f4be2072025514d6d99d7d152e2b67b511d
-
SHA512
f86e8d59726bb56f08fdfef96d829afdda250db245da52bdf282c2aba731eb35dabbe962460fe6291f67dcb87fe1bd2e24bb58b1de04aa14908181016ebf9724
-
SSDEEP
1536:83TMb1FpPtMNBdYjCpl1fnouy8Jz/aFQwXsoFCw:keLpPtyb1PoutpyFQIsaCw
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2548-0-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2548-16-0x0000000000400000-0x000000000043B000-memory.dmp upx -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1428 PING.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2548 wrote to memory of 1924 2548 469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe 31 PID 2548 wrote to memory of 1924 2548 469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe 31 PID 2548 wrote to memory of 1924 2548 469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe 31 PID 2548 wrote to memory of 1924 2548 469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe 31 PID 1924 wrote to memory of 1428 1924 cmd.exe 32 PID 1924 wrote to memory of 1428 1924 cmd.exe 32 PID 1924 wrote to memory of 1428 1924 cmd.exe 32 PID 1924 wrote to memory of 1428 1924 cmd.exe 32 PID 1924 wrote to memory of 876 1924 cmd.exe 33 PID 1924 wrote to memory of 876 1924 cmd.exe 33 PID 1924 wrote to memory of 876 1924 cmd.exe 33 PID 1924 wrote to memory of 876 1924 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\469c0ab22294610728f1aec8182cb4dc_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\C429.tmp\FixTools.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 3 -w 1 -l 13⤵
- Runs ping.exe
PID:1428
-
-
C:\Windows\SysWOW64\cscript.execscript ospp.vbs /osppsvcrestart3⤵PID:876
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5993d98530c5d937eab84bcf0c087e2e0
SHA1f0ddcf2cd650faf32aa113bd3395f1fc8c3380af
SHA25605e6d5ac6ade7b2186379ae6d8fe10e169d0d2eba6d213d2eecfbc8583a20be8
SHA512f22a654c602efd97f241994627e553a30108a0ad131c96947367b55483dc28d27f854287548bd76c9f184e0807e86ff512a668f5446027fde4830a657bcf421d
-
Filesize
48KB
MD5572e9a87757ac96c7677fd1b1b113c55
SHA19c8b96971997cd2dc0ed14f19dd9bc56d3348c3a
SHA256008cf05944053116a095ad466561d3fd4be8a7de79e5ada7c5daab492f730465
SHA512bf670754942cfa839de4a31676a3ba2ac8cd1a00de6f1b70aff995e14a9c489e996e9a019898ec3470a11d02c14ab7a8fe4855a8f028d6b4ea987e51411d7be3