2876d42c46641da695dc251590c52f78e373dfea91931c2f151df460084624ac

Analysis

max time kernel
147s
max time network
154s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

120771119f196f36035366ffe7f618a4_JaffaCakes118.exe
Size

6.2MB
MD5

120771119f196f36035366ffe7f618a4
SHA1

a35352df24ee96141da6cb919d5a89b35331b15c
SHA256

2876d42c46641da695dc251590c52f78e373dfea91931c2f151df460084624ac
SHA512

449ee7e279deccb2db8ac916fc8ffd93fda4929204d6d6ec60e31adfe6f6d921c35239e6d01dc6ea560a5f59153c7090334f454c54a17f2751d0ac09e415b43b
SSDEEP

98304:ThBe9Z1pqoaADoAuEgQdcpUgUOgZzz5Z2HSyOpJTqXOPqPRxDmgxn+4T7N+X/U:TWVZoAujQOpUgUBUDOT+OP+Tx+4TG/U

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2696	orion.exe
2656	tor.exe

Loads dropped DLL 11 IoCs

pid	Process
2968	120771119f196f36035366ffe7f618a4_JaffaCakes118.exe
2968	120771119f196f36035366ffe7f618a4_JaffaCakes118.exe
2696	orion.exe
2696	orion.exe
2656	tor.exe
2656	tor.exe
2656	tor.exe
2656	tor.exe
2656	tor.exe
2656	tor.exe
2656	tor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2656	tor.exe
2656	tor.exe
2656	tor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2696	2968	120771119f196f36035366ffe7f618a4_JaffaCakes118.exe	28
PID 2968 wrote to memory of 2696	2968	120771119f196f36035366ffe7f618a4_JaffaCakes118.exe	28
PID 2968 wrote to memory of 2696	2968	120771119f196f36035366ffe7f618a4_JaffaCakes118.exe	28
PID 2968 wrote to memory of 2696	2968	120771119f196f36035366ffe7f618a4_JaffaCakes118.exe	28
PID 2696 wrote to memory of 2656	2696	orion.exe	29
PID 2696 wrote to memory of 2656	2696	orion.exe	29
PID 2696 wrote to memory of 2656	2696	orion.exe	29
PID 2696 wrote to memory of 2656	2696	orion.exe	29

C:\Users\Admin\AppData\Local\Temp\120771119f196f36035366ffe7f618a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\120771119f196f36035366ffe7f618a4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Roaming\Orion\orion.exe
  C:\Users\Admin\AppData\Roaming\Orion\orion.exe /wait
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Roaming\Orion\Tor\tor.exe
    Tor\tor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Orion\Config.ini

Filesize
488B

MD5
4306697133cbcf104790aabd48bfaf87

SHA1
e4648be74cd6ba8042de9e5f194ac129ed41c361

SHA256
1220940ecb946399ed1c842576de6b0d8ec07381dbbbee10982ca056aabeb649

SHA512
67674e1f2bdd17c114c30f131b99edb55c30d6382920e5871eb4c830246321c2e666770799190c85b704796c2baef95052085ceff5de60d41b12d1778a0d7627

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\Tor\LIBEAY32.dll

Filesize
2.5MB

MD5
c9bbba92e2717bffc8ef75d3af8b296e

SHA1
0836bccdc54132ad4698d0cccd7d1a1de85440b9

SHA256
f1e2bc9059a8a88027ccb2684ecf4a064176462496d79bb35d2b69a95d9fcef3

SHA512
2762d3c31cd568427b82bc925401491281777fff359262c2ccedec7409828431d2dc7e410e0ac287aebb0da0534bd3031037e7626e9bc6bcba9b42be483b2c3f

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\Tor\libevent-2-1-6.dll

Filesize
840KB

MD5
635a89549d6d56a7bd61c8d555e16400

SHA1
714135c224f48a79bd9a043615578d2d86af32cf

SHA256
3b43f259f446ad289f3a50241156f04a2bddc14d6b60d8d10124f6f7e7861faf

SHA512
59993bbb35b2434cd7baa1ec88c977a91494f8a99cadab23866a74efd19daf8835f75805c2bf1af3953219256315a6808e251d09cc4ba8c18f2a0b2656d58f96

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\Tor\libgcc_s_sjlj-1.dll

Filesize
968KB

MD5
ec27d495bd75f4cf95bc4f8e5a183c93

SHA1
0b1540a3c18b33be604a0f3bd1cf7cace521c778

SHA256
f374f6f3c6c6a82a43ac3941aeeedbdd0428081ad0c296d75d03fce736202c7d

SHA512
6b2e5747c128f2d6bf526345f252dade00dfe84980059114b9aad12c8b53e9e4192e6a007ace3b4598803547ddf1f3e17ee6d4491b48e404ca00602e1ff0a179

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\Tor\libssp-0.dll

Filesize
272KB

MD5
0989c27514e64873f277e2b585a9af6c

SHA1
c8e53889f2ad2d7f22252ebef52b96c87883444d

SHA256
b65422fbdadf1ab7bc5029a94bb00641317b344523769dfdfecd9c6fbcfdea96

SHA512
f9c3a18a32724829ffb8ba6b10cb77ea64f67f9d9367e6f879a552fd7803041356aedbb2a706a245cb8fc635f1afd3a5a9a0a4f0825de21fb8edc5cf1f1a3198

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\Tor\tor.exe

Filesize
3.9MB

MD5
fa9f5f89dd6f0771e3ea0c1f3ab5953c

SHA1
c430abd0c6f3aefe676d63282cac7c4fef8e3e79

SHA256
ec9c50c5ebc74854a33887c994f3d5b319e3b72bf0610ea3a0be38f2bcbcd0e8

SHA512
5c9200b15dbad9700b6b295d6afe178fbf79cfa5e94b369137b1331f15f9546d31699e28b8a489667e0c529472cdc1252e7b198a799b750fb6a459955a8269c7

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\Tor\zlib1.dll

Filesize
105KB

MD5
3e32725d75077a5a799b58e0d163a962

SHA1
ad6d80c97ff59dfbfa1e05b1860771b7607f54d4

SHA256
b46685e5460dbb6088a6516e6343eb88c40e1c5a021df1ed13aaefc4dfc547ab

SHA512
22a758d21bf37f80391c75c1cd40ac44e1dc55b7f9a86616bd88d1f6faf71ee2bde9520b20b9060d5af0ce2cd81888bfa1c33ab96cd19cb1d3bafcb427a33ad4

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
c3500568dce64d98b5a8347e50374743

SHA1
4886191b037824ea6fb15313dca1a1dc087e39c8

SHA256
e99b8f64e6af8d788dd63cede1218fefa690c0cd569d580f5519547ac013bab2

SHA512
65750c8ecf9ed8cafca1f49c8e380569bc2a8f1df1600091bdb7a131d5a0cd9ab96af7b9dd113c98d638058e7f89af9b853f2239400fd32d24475315f2eaaad4

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
6.2MB

MD5
2cc7304055ca3ea22f6b8cc02ebd0d74

SHA1
a276a46189844a9368312cf3d552b59b4ecf0e94

SHA256
aa5f28dc3ddfbef466435819c94a85bcd825a951996ff884bc562275c8dde70b

SHA512
dbda685f1512b41afeaf489abedadb56f8ee25b751cf43521037db7094f950af3ff379a29fb4ff9820095291902b033eb605a61c5f9449d8225f885cc5351789

Download Submit
\Users\Admin\AppData\Roaming\Orion\Tor\libwinpthread-1.dll

Filesize
500KB

MD5
5d87b188254c4c82edbd095e4412c24d

SHA1
3a908161025f652bef53c98d9b53c3381850be5d

SHA256
2d4e700fb217cb63a7da757cc3df18cb8fb644dff39506f15e1103d73bf8d681

SHA512
582cc031b3bad757403f29eff90cc66c208a782e480006b4bb5eedaa11d678ffdc22486ea9e7266ff60af1acf7e73be3b6edd1e3228badb033fae4e896f104a5

Download Submit
\Users\Admin\AppData\Roaming\Orion\Tor\ssleay32.dll

Filesize
770KB

MD5
07ff8f980dd3939ffac23a8bd4ae1564

SHA1
69d487d4a1de566b54a457d8d263a891f6c4a6f2

SHA256
8e832e363a336399e129ddec16cff52fdf7297e98c7b85cf3371fc33eeb5aded

SHA512
87b0ebad59bc1097bef8d3339474576b5c05cb8efc2ddff74645c89611f3a6b33fc09ed1db57e16813a7865588b690e4f5dd9f3e76a59825ce60d62c8769f63f

Download Submit
\Users\Admin\AppData\Roaming\Orion\orion.exe

Filesize
6.2MB

MD5
120771119f196f36035366ffe7f618a4

SHA1
a35352df24ee96141da6cb919d5a89b35331b15c

SHA256
2876d42c46641da695dc251590c52f78e373dfea91931c2f151df460084624ac

SHA512
449ee7e279deccb2db8ac916fc8ffd93fda4929204d6d6ec60e31adfe6f6d921c35239e6d01dc6ea560a5f59153c7090334f454c54a17f2751d0ac09e415b43b

Download Submit
memory/2656-112-0x0000000074BA0000-0x0000000074DAC000-memory.dmp

Filesize
2.0MB

Download
memory/2656-103-0x0000000074AF0000-0x0000000074B97000-memory.dmp

Filesize
668KB

Download
memory/2656-77-0x0000000075030000-0x0000000075051000-memory.dmp

Filesize
132KB

Download
memory/2656-82-0x0000000074AF0000-0x0000000074B97000-memory.dmp

Filesize
668KB

Download
memory/2656-84-0x0000000001090000-0x0000000001476000-memory.dmp

Filesize
3.9MB

Download
memory/2656-78-0x0000000074F20000-0x0000000074FDD000-memory.dmp

Filesize
756KB

Download
memory/2656-175-0x0000000001090000-0x0000000001476000-memory.dmp

Filesize
3.9MB

Download
memory/2656-96-0x0000000001090000-0x0000000001476000-memory.dmp

Filesize
3.9MB

Download
memory/2656-98-0x0000000074FE0000-0x0000000075029000-memory.dmp

Filesize
292KB

Download
memory/2656-99-0x0000000074F20000-0x0000000074FDD000-memory.dmp

Filesize
756KB

Download
memory/2656-100-0x0000000074E30000-0x0000000074F1A000-memory.dmp

Filesize
936KB

Download
memory/2656-102-0x0000000074BA0000-0x0000000074DAC000-memory.dmp

Filesize
2.0MB

Download
memory/2656-101-0x0000000074DB0000-0x0000000074E2E000-memory.dmp

Filesize
504KB

Download
memory/2656-80-0x0000000074BA0000-0x0000000074DAC000-memory.dmp

Filesize
2.0MB

Download
memory/2656-76-0x0000000075030000-0x0000000075051000-memory.dmp

Filesize
132KB

Download
memory/2656-169-0x0000000074BA0000-0x0000000074DAC000-memory.dmp

Filesize
2.0MB

Download
memory/2656-114-0x0000000001090000-0x0000000001476000-memory.dmp

Filesize
3.9MB

Download
memory/2656-122-0x0000000001090000-0x0000000001476000-memory.dmp

Filesize
3.9MB

Download
memory/2656-124-0x0000000001090000-0x0000000001476000-memory.dmp

Filesize
3.9MB

Download
memory/2656-130-0x0000000074BA0000-0x0000000074DAC000-memory.dmp

Filesize
2.0MB

Download
memory/2656-133-0x0000000001090000-0x0000000001476000-memory.dmp

Filesize
3.9MB

Download
memory/2656-146-0x0000000001090000-0x0000000001476000-memory.dmp

Filesize
3.9MB

Download
memory/2656-152-0x0000000074BA0000-0x0000000074DAC000-memory.dmp

Filesize
2.0MB

Download
memory/2656-163-0x0000000001090000-0x0000000001476000-memory.dmp

Filesize
3.9MB

Download
memory/2696-174-0x0000000000400000-0x0000000000A44000-memory.dmp

Filesize
6.3MB

Download
memory/2696-95-0x0000000000400000-0x0000000000A44000-memory.dmp

Filesize
6.3MB

Download
memory/2968-56-0x0000000000400000-0x0000000000A44000-memory.dmp

Filesize
6.3MB

Download