Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 22:02
Behavioral task
behavioral1
Sample
2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe
-
Size
250KB
-
MD5
2662ee57f7bf5ea4c8871b2f587e3bd4
-
SHA1
b19f19cb047d7d987cec5a597d9df15d0f8e87f7
-
SHA256
3c74958e2b695c9e4c50dbe63654034845a5799e67a774ad2318b413860258e1
-
SHA512
b26ebfa34239c87da733e3e48d0a7c090469e337202ce0f993bbbf0cb284a048b8d67fae3235700f316c2c12f8953d806fb0c34d1f234077a7660ff43bcaa085
-
SSDEEP
6144:VSupje/Mir3zyvj8z5QcYrW9kW4zI8yD4og8ZH:VJFSMwjyvY6D+8b+
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Windows\SysWOW64\CONFIG\SAM.EXE aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
SAM.EXEpid process 1932 SAM.EXE -
Drops file in System32 directory 3 IoCs
Processes:
SAM.EXE2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\CONFIG\SAM.EXE SAM.EXE File created C:\Windows\SysWOW64\CONFIG\SAM.EXE 2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\CONFIG\SAM.EXE 2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exedescription pid process target process PID 2444 wrote to memory of 2052 2444 2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe cmd.exe PID 2444 wrote to memory of 2052 2444 2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe cmd.exe PID 2444 wrote to memory of 2052 2444 2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2662ee57f7bf5ea4c8871b2f587e3bd4_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\6886.bat2⤵
-
C:\Windows\SysWOW64\CONFIG\SAM.EXEC:\Windows\SysWOW64\CONFIG\SAM.EXE1⤵
- Executes dropped EXE
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6886.batFilesize
226B
MD5d5c72995a477b92ea610765da4c95023
SHA1ccdc63852900e1ced2e554d363630dab1e6cff08
SHA256848151f97bf3691aebd2bd13b5236934643a0c7a69d31afb09a7fd5054d42db2
SHA5126c0af09b7fd6b56c942f1f23c760aba0a57ac4dfc0c76894616f60178904716062f3bb2585f389eef8c904ca20cd97e29310fefef3b396ef59d0f99e2488a01b
-
C:\Windows\SysWOW64\CONFIG\SAM.EXEFilesize
250KB
MD52662ee57f7bf5ea4c8871b2f587e3bd4
SHA1b19f19cb047d7d987cec5a597d9df15d0f8e87f7
SHA2563c74958e2b695c9e4c50dbe63654034845a5799e67a774ad2318b413860258e1
SHA512b26ebfa34239c87da733e3e48d0a7c090469e337202ce0f993bbbf0cb284a048b8d67fae3235700f316c2c12f8953d806fb0c34d1f234077a7660ff43bcaa085
-
memory/1932-8-0x0000000000630000-0x0000000000631000-memory.dmpFilesize
4KB
-
memory/1932-11-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2444-2-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/2444-14-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB