Analysis
-
max time kernel
140s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 02:04
Static task
static1
Behavioral task
behavioral1
Sample
47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe
-
Size
82KB
-
MD5
47c30c5ca4b2f571ca08a2f46abe5a02
-
SHA1
61fb17f5613db7c439f3cbcc27b5d9eb2e7fe54d
-
SHA256
57b4124df68164799d76f23e15caa39ccf03d09dd232c9997a09a9490440322b
-
SHA512
74eff30fa00c763817f76022f995035f027304a1e25601610e7f365b2ed60bbcf803870c373f086f2a5094c12ec37e702a5c355ea7e4126a179b53eeb1905755
-
SSDEEP
1536:UUHWkhI/q5CqltFcKM4Ed7HpRBjXTICNgD4B+COH8E60lk0GXkx:UUHWkhISDMBN/XTTBWH8D0ZGUx
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\IRA\Parameters\ServiceDll = "C:\\Program Files (x86)\\IRAT\\IRAT.rmvb" 47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 3064 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2052 47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe 2404 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\IRAT\IRAT.rmvb 47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IRAT\IRAT.rmvb 47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2052 47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe 2404 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2052 wrote to memory of 3064 2052 47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe 31 PID 2052 wrote to memory of 3064 2052 47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe 31 PID 2052 wrote to memory of 3064 2052 47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe 31 PID 2052 wrote to memory of 3064 2052 47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259431799.bat" "2⤵
- Deletes itself
PID:3064
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k krnlsrvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
278B
MD5162ae8fd0cfe9437fa5fcb71bd4cb71a
SHA15df1e056b9e3712fda10e85049e706c51630b76e
SHA2562fb6edaae0fcbc1db81b26c2ff9266f5894a2b549f5daed4ccd16afc8ab9c186
SHA5125dbbce04f34d7843afc0b778fcda815b73ee62576d79ec7060ea5e3cdd0e1e719e17931788abadeb686c3a47e9d91217427429bcdb04e5079c5781cb7eeb3e84
-
Filesize
124KB
MD580062697911956f31288abaf7f0af738
SHA13689873571e8c80d200b3531a0cf9c36dd2c2d1b
SHA256f28fcf5faba030fb55a1c961836194ffd06d594303a56d203217243b4c9c6df0
SHA51269ca61c02d1e0eb2f3f84220b8997f347701318df1f77dfb7393da80886a22ae381858a97cfa78ef6722a688f103e5267e228466e1da9d68f95cd01ddabf8623