Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 22:02
Behavioral task
behavioral1
Sample
2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe
-
Size
250KB
-
MD5
2662ee57f7bf5ea4c8871b2f587e3bd4
-
SHA1
b19f19cb047d7d987cec5a597d9df15d0f8e87f7
-
SHA256
3c74958e2b695c9e4c50dbe63654034845a5799e67a774ad2318b413860258e1
-
SHA512
b26ebfa34239c87da733e3e48d0a7c090469e337202ce0f993bbbf0cb284a048b8d67fae3235700f316c2c12f8953d806fb0c34d1f234077a7660ff43bcaa085
-
SSDEEP
6144:VSupje/Mir3zyvj8z5QcYrW9kW4zI8yD4og8ZH:VJFSMwjyvY6D+8b+
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Windows\SysWOW64\config\SAM.EXE aspack_v212_v242 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2708 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
SAM.EXEpid process 2748 SAM.EXE -
Drops file in System32 directory 3 IoCs
Processes:
2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exeSAM.EXEdescription ioc process File created C:\Windows\SysWOW64\CONFIG\SAM.EXE 2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\CONFIG\SAM.EXE 2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\CONFIG\SAM.EXE SAM.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exedescription pid process target process PID 1560 wrote to memory of 2708 1560 2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe cmd.exe PID 1560 wrote to memory of 2708 1560 2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe cmd.exe PID 1560 wrote to memory of 2708 1560 2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe cmd.exe PID 1560 wrote to memory of 2708 1560 2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\2471.bat2⤵
- Deletes itself
-
C:\Windows\SysWOW64\CONFIG\SAM.EXEC:\Windows\SysWOW64\CONFIG\SAM.EXE1⤵
- Executes dropped EXE
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2471.batFilesize
226B
MD5d5c72995a477b92ea610765da4c95023
SHA1ccdc63852900e1ced2e554d363630dab1e6cff08
SHA256848151f97bf3691aebd2bd13b5236934643a0c7a69d31afb09a7fd5054d42db2
SHA5126c0af09b7fd6b56c942f1f23c760aba0a57ac4dfc0c76894616f60178904716062f3bb2585f389eef8c904ca20cd97e29310fefef3b396ef59d0f99e2488a01b
-
C:\Windows\SysWOW64\config\SAM.EXEFilesize
250KB
MD52662ee57f7bf5ea4c8871b2f587e3bd4
SHA1b19f19cb047d7d987cec5a597d9df15d0f8e87f7
SHA2563c74958e2b695c9e4c50dbe63654034845a5799e67a774ad2318b413860258e1
SHA512b26ebfa34239c87da733e3e48d0a7c090469e337202ce0f993bbbf0cb284a048b8d67fae3235700f316c2c12f8953d806fb0c34d1f234077a7660ff43bcaa085
-
memory/1560-2-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1560-19-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2748-9-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/2748-11-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB