Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 03:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe
Resource
win7-20240508-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe
Resource
win10v2004-20240508-en
9 signatures
150 seconds
General
-
Target
584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe
-
Size
72KB
-
MD5
584e10fd25ea48444ab5ea56ea34a461
-
SHA1
282a619b75a4e55e8579a10fcba8e32a3f9f40a2
-
SHA256
104cfc169567e06203a46f699c8b0249face8a47b213c1f4a8609bfef1b1569a
-
SHA512
86384b18b88de99a07b7c7453de045f342a9ea5da717bee2da1c8fe67354f08d84b6acd75eaadde51a7c2675bcaaa3760491bf775f31eddbfb707678bcdb1475
-
SSDEEP
1536:sWmLQLoXO5msms0sSvFNGwNDtpN0shO5msm:sWmSUTs0L/0hUT
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\chorion = "C:\\Users\\Admin\\forvarsl\\SPIDSART.exe" RegAsm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exeRegAsm.exepid process 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe 2452 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exedescription pid process target process PID 3068 set thread context of 2452 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exepid process 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exepid process 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exedescription pid process target process PID 3068 wrote to memory of 2464 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe PID 3068 wrote to memory of 2464 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe PID 3068 wrote to memory of 2464 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe PID 3068 wrote to memory of 2464 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe PID 3068 wrote to memory of 2464 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe PID 3068 wrote to memory of 2464 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe PID 3068 wrote to memory of 2464 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe PID 3068 wrote to memory of 2452 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe PID 3068 wrote to memory of 2452 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe PID 3068 wrote to memory of 2452 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe PID 3068 wrote to memory of 2452 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe PID 3068 wrote to memory of 2452 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe PID 3068 wrote to memory of 2452 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe PID 3068 wrote to memory of 2452 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe PID 3068 wrote to memory of 2452 3068 584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\584e10fd25ea48444ab5ea56ea34a461_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2452-6-0x0000000077210000-0x00000000773B9000-memory.dmpFilesize
1.7MB
-
memory/3068-2-0x0000000000310000-0x0000000000319000-memory.dmpFilesize
36KB
-
memory/3068-3-0x0000000077211000-0x0000000077312000-memory.dmpFilesize
1.0MB
-
memory/3068-4-0x0000000077210000-0x00000000773B9000-memory.dmpFilesize
1.7MB
-
memory/3068-25-0x0000000000310000-0x0000000000319000-memory.dmpFilesize
36KB
-
memory/3068-26-0x0000000000310000-0x0000000000319000-memory.dmpFilesize
36KB