Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2024, 10:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe
-
Size
202KB
-
MD5
5b7d87fdfe031d630af9694b6eb54ad4
-
SHA1
a594443b3abd6e6b612f3803f9dfa365fb1c1cd5
-
SHA256
0002c23f50fe24bb8154dca21c98dbcff63814f3e836113ee696386cb517b3b5
-
SHA512
c841815147f8b6c8cc4a9b5eadf20f60bb25b022c7bec1bfda04767826d38b327b3ea6763b3b1bd4d602b50e0518780d4d26e7f7edfca7faef15b2c3925b9da5
-
SSDEEP
3072:XJCTWpqbDKCdJkVTIbsqF+yzexOnpR3K50csZLR+88++8oHxzbqLfilUB74XnqrJ:X90DKGzF+KeOpMIRk+LExzWvB74aH9
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 8 IoCs
pid Process 3708 wingtp.exe 5052 wingtp.exe 700 wingtp.exe 756 wingtp.exe 4572 wingtp.exe 3980 wingtp.exe 4892 wingtp.exe 2696 wingtp.exe -
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wingtp.exe wingtp.exe File created C:\Windows\SysWOW64\wingtp.exe wingtp.exe File opened for modification C:\Windows\SysWOW64\wingtp.exe wingtp.exe File created C:\Windows\SysWOW64\wingtp.exe wingtp.exe File created C:\Windows\SysWOW64\wingtp.exe 5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wingtp.exe wingtp.exe File opened for modification C:\Windows\SysWOW64\wingtp.exe wingtp.exe File created C:\Windows\SysWOW64\wingtp.exe wingtp.exe File opened for modification C:\Windows\SysWOW64\wingtp.exe wingtp.exe File opened for modification C:\Windows\SysWOW64\wingtp.exe 5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe File created C:\Windows\SysWOW64\wingtp.exe wingtp.exe File opened for modification C:\Windows\SysWOW64\wingtp.exe wingtp.exe File created C:\Windows\SysWOW64\wingtp.exe wingtp.exe File created C:\Windows\SysWOW64\wingtp.exe wingtp.exe File opened for modification C:\Windows\SysWOW64\wingtp.exe wingtp.exe File created C:\Windows\SysWOW64\wingtp.exe wingtp.exe File created C:\Windows\SysWOW64\wingtp.exe wingtp.exe File opened for modification C:\Windows\SysWOW64\wingtp.exe wingtp.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 4408 5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe 4408 5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe 4408 5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe 4408 5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe 4408 5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe 4408 5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe 3708 wingtp.exe 3708 wingtp.exe 3708 wingtp.exe 3708 wingtp.exe 3708 wingtp.exe 3708 wingtp.exe 5052 wingtp.exe 5052 wingtp.exe 5052 wingtp.exe 5052 wingtp.exe 5052 wingtp.exe 5052 wingtp.exe 700 wingtp.exe 700 wingtp.exe 700 wingtp.exe 700 wingtp.exe 700 wingtp.exe 700 wingtp.exe 756 wingtp.exe 756 wingtp.exe 756 wingtp.exe 756 wingtp.exe 756 wingtp.exe 756 wingtp.exe 4572 wingtp.exe 4572 wingtp.exe 4572 wingtp.exe 4572 wingtp.exe 4572 wingtp.exe 4572 wingtp.exe 3980 wingtp.exe 3980 wingtp.exe 3980 wingtp.exe 3980 wingtp.exe 3980 wingtp.exe 3980 wingtp.exe 4892 wingtp.exe 4892 wingtp.exe 4892 wingtp.exe 4892 wingtp.exe 4892 wingtp.exe 4892 wingtp.exe 2696 wingtp.exe 2696 wingtp.exe 2696 wingtp.exe 2696 wingtp.exe 2696 wingtp.exe 2696 wingtp.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4408 wrote to memory of 3708 4408 5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe 87 PID 4408 wrote to memory of 3708 4408 5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe 87 PID 4408 wrote to memory of 3708 4408 5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe 87 PID 3708 wrote to memory of 5052 3708 wingtp.exe 95 PID 3708 wrote to memory of 5052 3708 wingtp.exe 95 PID 3708 wrote to memory of 5052 3708 wingtp.exe 95 PID 5052 wrote to memory of 700 5052 wingtp.exe 99 PID 5052 wrote to memory of 700 5052 wingtp.exe 99 PID 5052 wrote to memory of 700 5052 wingtp.exe 99 PID 700 wrote to memory of 756 700 wingtp.exe 100 PID 700 wrote to memory of 756 700 wingtp.exe 100 PID 700 wrote to memory of 756 700 wingtp.exe 100 PID 756 wrote to memory of 4572 756 wingtp.exe 102 PID 756 wrote to memory of 4572 756 wingtp.exe 102 PID 756 wrote to memory of 4572 756 wingtp.exe 102 PID 4572 wrote to memory of 3980 4572 wingtp.exe 103 PID 4572 wrote to memory of 3980 4572 wingtp.exe 103 PID 4572 wrote to memory of 3980 4572 wingtp.exe 103 PID 3980 wrote to memory of 4892 3980 wingtp.exe 108 PID 3980 wrote to memory of 4892 3980 wingtp.exe 108 PID 3980 wrote to memory of 4892 3980 wingtp.exe 108 PID 4892 wrote to memory of 2696 4892 wingtp.exe 114 PID 4892 wrote to memory of 2696 4892 wingtp.exe 114 PID 4892 wrote to memory of 2696 4892 wingtp.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\wingtp.exeC:\Windows\system32\wingtp.exe 1328 "C:\Users\Admin\AppData\Local\Temp\5b7d87fdfe031d630af9694b6eb54ad4_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\wingtp.exeC:\Windows\system32\wingtp.exe 1324 "C:\Windows\SysWOW64\wingtp.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\wingtp.exeC:\Windows\system32\wingtp.exe 1300 "C:\Windows\SysWOW64\wingtp.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\wingtp.exeC:\Windows\system32\wingtp.exe 1308 "C:\Windows\SysWOW64\wingtp.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\wingtp.exeC:\Windows\system32\wingtp.exe 1320 "C:\Windows\SysWOW64\wingtp.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\wingtp.exeC:\Windows\system32\wingtp.exe 1204 "C:\Windows\SysWOW64\wingtp.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\wingtp.exeC:\Windows\system32\wingtp.exe 1344 "C:\Windows\SysWOW64\wingtp.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\wingtp.exeC:\Windows\system32\wingtp.exe 1348 "C:\Windows\SysWOW64\wingtp.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD55b7d87fdfe031d630af9694b6eb54ad4
SHA1a594443b3abd6e6b612f3803f9dfa365fb1c1cd5
SHA2560002c23f50fe24bb8154dca21c98dbcff63814f3e836113ee696386cb517b3b5
SHA512c841815147f8b6c8cc4a9b5eadf20f60bb25b022c7bec1bfda04767826d38b327b3ea6763b3b1bd4d602b50e0518780d4d26e7f7edfca7faef15b2c3925b9da5