Analysis
-
max time kernel
0s -
max time network
0s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 11:13
Static task
static1
Behavioral task
behavioral1
Sample
19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe
-
Size
51KB
-
MD5
19e81e0a521ec0ce0608cd855796512c
-
SHA1
e403727a1d0b1eae0a697142b55dcb621f8539fe
-
SHA256
d6346d093c870ad5274cb12973792c096acbefc5be33974039a5eaa2f922670d
-
SHA512
48ce49918781247f351ab60e041c681c94e64eacd4520c38d4ba9fc59240f2bb4cddc136818ef516f9bd370ab16084eb91749eabde209404212c1b63a4d8a486
-
SSDEEP
768:u+9LZQAX5ZPpO/5eR6N+Nw6bDr9+JGDO9iX8OSuLDIjBN8LOPMJafST2rs4Kjag4:V3Z6N+NTb/cGVSQ0b8LOPMJNEshjN4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WinUpdate.exepid process 2180 WinUpdate.exe -
Loads dropped DLL 4 IoCs
Processes:
19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exeWinUpdate.exepid process 2172 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe -
Processes:
resource yara_rule \Windows\SysWOW64\WINUPDATE.EXE upx behavioral1/memory/2172-5-0x00000000022C0000-0x00000000022DA000-memory.dmp upx behavioral1/memory/2180-11-0x0000000000400000-0x000000000041A000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
Processes:
19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\RESTART.EXE 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe File created C:\Windows\SysWOW64\SHELLSETUP.DLL 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe File created C:\Windows\SysWOW64\WINUPDATE.EXE 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WinUpdate.exepid process 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe 2180 WinUpdate.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exedescription pid process target process PID 2172 wrote to memory of 2180 2172 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe WinUpdate.exe PID 2172 wrote to memory of 2180 2172 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe WinUpdate.exe PID 2172 wrote to memory of 2180 2172 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe WinUpdate.exe PID 2172 wrote to memory of 2180 2172 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe WinUpdate.exe PID 2172 wrote to memory of 2180 2172 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe WinUpdate.exe PID 2172 wrote to memory of 2180 2172 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe WinUpdate.exe PID 2172 wrote to memory of 2180 2172 19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe WinUpdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19e81e0a521ec0ce0608cd855796512c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WinUpdate.exe"C:\Windows\system32\WinUpdate.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\SysWOW64\WINUPDATE.EXEFilesize
31KB
MD5d89838b3fdfd2392dc8a55a8dc6d791f
SHA1812c542860b05c1e5068b01cb91b3a1d0b99d931
SHA256a8ddd8798ca355a82c3262fd8c7e9e15e2506b45f5dcb41117a981fe3b9bd8cf
SHA51203ee1421940bf90baa21e36b8371181ea49c0be3ac0f1cace5769d75910d5579aa934444d5defa7120d32ffb82f7de5ad0e980195a37f7217d3225e3a0263bab
-
memory/2172-5-0x00000000022C0000-0x00000000022DA000-memory.dmpFilesize
104KB
-
memory/2172-8-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/2180-11-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2180-15-0x0000000000020000-0x000000000003A000-memory.dmpFilesize
104KB