2876d42c46641da695dc251590c52f78e373dfea91931c2f151df460084624ac

Analysis

max time kernel
156s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

120771119f196f36035366ffe7f618a4_JaffaCakes118.exe
Size

6.2MB
MD5

120771119f196f36035366ffe7f618a4
SHA1

a35352df24ee96141da6cb919d5a89b35331b15c
SHA256

2876d42c46641da695dc251590c52f78e373dfea91931c2f151df460084624ac
SHA512

449ee7e279deccb2db8ac916fc8ffd93fda4929204d6d6ec60e31adfe6f6d921c35239e6d01dc6ea560a5f59153c7090334f454c54a17f2751d0ac09e415b43b
SSDEEP

98304:ThBe9Z1pqoaADoAuEgQdcpUgUOgZzz5Z2HSyOpJTqXOPqPRxDmgxn+4T7N+X/U:TWVZoAujQOpUgUBUDOT+OP+Tx+4TG/U

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1816	orion.exe
4744	tor.exe

Loads dropped DLL 9 IoCs

pid	Process
4744	tor.exe
4744	tor.exe
4744	tor.exe
4744	tor.exe
4744	tor.exe
4744	tor.exe
4744	tor.exe
4744	tor.exe
4744	tor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4744	tor.exe
4744	tor.exe
4744	tor.exe
4744	tor.exe
4744	tor.exe
4744	tor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 1816	3416	120771119f196f36035366ffe7f618a4_JaffaCakes118.exe	96
PID 3416 wrote to memory of 1816	3416	120771119f196f36035366ffe7f618a4_JaffaCakes118.exe	96
PID 3416 wrote to memory of 1816	3416	120771119f196f36035366ffe7f618a4_JaffaCakes118.exe	96
PID 1816 wrote to memory of 4744	1816	orion.exe	97
PID 1816 wrote to memory of 4744	1816	orion.exe	97
PID 1816 wrote to memory of 4744	1816	orion.exe	97

C:\Users\Admin\AppData\Local\Temp\120771119f196f36035366ffe7f618a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\120771119f196f36035366ffe7f618a4_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Users\Admin\AppData\Roaming\Orion\orion.exe
  C:\Users\Admin\AppData\Roaming\Orion\orion.exe /wait
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Users\Admin\AppData\Roaming\Orion\Tor\tor.exe
    Tor\tor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1404 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Orion\Config.ini

Filesize
488B

MD5
0d5d51ce2bf32c1066ae452a233c51ea

SHA1
8df9ac058d403c604b509a8bdab5c87b8412ed4b

SHA256
b041addc5b6d52f84d6afad8de7afc8bfe4fcf3188641c5968a9f98900236636

SHA512
26e950c47cd2e348e548f4b1253d243a9f2910a8479089f7616c06c18b887a503498f853fdebbf0454109b47a87e92a60f6222da74542638fdd8cc2f7d439d98

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\Tor\LIBEAY32.dll

Filesize
2.5MB

MD5
c9bbba92e2717bffc8ef75d3af8b296e

SHA1
0836bccdc54132ad4698d0cccd7d1a1de85440b9

SHA256
f1e2bc9059a8a88027ccb2684ecf4a064176462496d79bb35d2b69a95d9fcef3

SHA512
2762d3c31cd568427b82bc925401491281777fff359262c2ccedec7409828431d2dc7e410e0ac287aebb0da0534bd3031037e7626e9bc6bcba9b42be483b2c3f

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\Tor\libevent-2-1-6.dll

Filesize
840KB

MD5
635a89549d6d56a7bd61c8d555e16400

SHA1
714135c224f48a79bd9a043615578d2d86af32cf

SHA256
3b43f259f446ad289f3a50241156f04a2bddc14d6b60d8d10124f6f7e7861faf

SHA512
59993bbb35b2434cd7baa1ec88c977a91494f8a99cadab23866a74efd19daf8835f75805c2bf1af3953219256315a6808e251d09cc4ba8c18f2a0b2656d58f96

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\Tor\libgcc_s_sjlj-1.dll

Filesize
968KB

MD5
ec27d495bd75f4cf95bc4f8e5a183c93

SHA1
0b1540a3c18b33be604a0f3bd1cf7cace521c778

SHA256
f374f6f3c6c6a82a43ac3941aeeedbdd0428081ad0c296d75d03fce736202c7d

SHA512
6b2e5747c128f2d6bf526345f252dade00dfe84980059114b9aad12c8b53e9e4192e6a007ace3b4598803547ddf1f3e17ee6d4491b48e404ca00602e1ff0a179

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\Tor\libssp-0.dll

Filesize
272KB

MD5
0989c27514e64873f277e2b585a9af6c

SHA1
c8e53889f2ad2d7f22252ebef52b96c87883444d

SHA256
b65422fbdadf1ab7bc5029a94bb00641317b344523769dfdfecd9c6fbcfdea96

SHA512
f9c3a18a32724829ffb8ba6b10cb77ea64f67f9d9367e6f879a552fd7803041356aedbb2a706a245cb8fc635f1afd3a5a9a0a4f0825de21fb8edc5cf1f1a3198

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\Tor\libwinpthread-1.dll

Filesize
500KB

MD5
5d87b188254c4c82edbd095e4412c24d

SHA1
3a908161025f652bef53c98d9b53c3381850be5d

SHA256
2d4e700fb217cb63a7da757cc3df18cb8fb644dff39506f15e1103d73bf8d681

SHA512
582cc031b3bad757403f29eff90cc66c208a782e480006b4bb5eedaa11d678ffdc22486ea9e7266ff60af1acf7e73be3b6edd1e3228badb033fae4e896f104a5

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\Tor\ssleay32.dll

Filesize
770KB

MD5
07ff8f980dd3939ffac23a8bd4ae1564

SHA1
69d487d4a1de566b54a457d8d263a891f6c4a6f2

SHA256
8e832e363a336399e129ddec16cff52fdf7297e98c7b85cf3371fc33eeb5aded

SHA512
87b0ebad59bc1097bef8d3339474576b5c05cb8efc2ddff74645c89611f3a6b33fc09ed1db57e16813a7865588b690e4f5dd9f3e76a59825ce60d62c8769f63f

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\Tor\tor.exe

Filesize
3.9MB

MD5
fa9f5f89dd6f0771e3ea0c1f3ab5953c

SHA1
c430abd0c6f3aefe676d63282cac7c4fef8e3e79

SHA256
ec9c50c5ebc74854a33887c994f3d5b319e3b72bf0610ea3a0be38f2bcbcd0e8

SHA512
5c9200b15dbad9700b6b295d6afe178fbf79cfa5e94b369137b1331f15f9546d31699e28b8a489667e0c529472cdc1252e7b198a799b750fb6a459955a8269c7

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\Tor\zlib1.dll

Filesize
105KB

MD5
3e32725d75077a5a799b58e0d163a962

SHA1
ad6d80c97ff59dfbfa1e05b1860771b7607f54d4

SHA256
b46685e5460dbb6088a6516e6343eb88c40e1c5a021df1ed13aaefc4dfc547ab

SHA512
22a758d21bf37f80391c75c1cd40ac44e1dc55b7f9a86616bd88d1f6faf71ee2bde9520b20b9060d5af0ce2cd81888bfa1c33ab96cd19cb1d3bafcb427a33ad4

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\orion.exe

Filesize
6.2MB

MD5
120771119f196f36035366ffe7f618a4

SHA1
a35352df24ee96141da6cb919d5a89b35331b15c

SHA256
2876d42c46641da695dc251590c52f78e373dfea91931c2f151df460084624ac

SHA512
449ee7e279deccb2db8ac916fc8ffd93fda4929204d6d6ec60e31adfe6f6d921c35239e6d01dc6ea560a5f59153c7090334f454c54a17f2751d0ac09e415b43b

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
c3500568dce64d98b5a8347e50374743

SHA1
4886191b037824ea6fb15313dca1a1dc087e39c8

SHA256
e99b8f64e6af8d788dd63cede1218fefa690c0cd569d580f5519547ac013bab2

SHA512
65750c8ecf9ed8cafca1f49c8e380569bc2a8f1df1600091bdb7a131d5a0cd9ab96af7b9dd113c98d638058e7f89af9b853f2239400fd32d24475315f2eaaad4

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
8.4MB

MD5
8ab09a11afd26c88f37bb15223845f11

SHA1
cb1a369cf5c6b63b82f80f5b4913e5695226a658

SHA256
e200d75ad3044750c9fd29540d929a64d0759c28c984a00e8973199c68d629b7

SHA512
b10f636246da6f656b22eafdf7393d1d0ce670f2b3f520f2e673fe2536ed4040ba8f3cbaf9d3e8c87d946070ba545750d019b123f3c1bcfa8ac54dc382bef9e4

Download Submit
memory/1816-84-0x0000000000400000-0x0000000000A44000-memory.dmp

Filesize
6.3MB

Download
memory/1816-142-0x0000000000400000-0x0000000000A44000-memory.dmp

Filesize
6.3MB

Download
memory/1816-130-0x0000000000400000-0x0000000000A44000-memory.dmp

Filesize
6.3MB

Download
memory/3416-52-0x0000000000400000-0x0000000000A44000-memory.dmp

Filesize
6.3MB

Download
memory/4744-96-0x0000000075260000-0x00000000752A9000-memory.dmp

Filesize
292KB

Download
memory/4744-128-0x00000000752E0000-0x00000000754EC000-memory.dmp

Filesize
2.0MB

Download
memory/4744-92-0x00000000752E0000-0x00000000754EC000-memory.dmp

Filesize
2.0MB

Download
memory/4744-95-0x00000000752B0000-0x00000000752D1000-memory.dmp

Filesize
132KB

Download
memory/4744-81-0x0000000000480000-0x0000000000866000-memory.dmp

Filesize
3.9MB

Download
memory/4744-79-0x00000000751B0000-0x0000000075257000-memory.dmp

Filesize
668KB

Download
memory/4744-98-0x00000000750C0000-0x00000000751AA000-memory.dmp

Filesize
936KB

Download
memory/4744-97-0x00000000751B0000-0x0000000075257000-memory.dmp

Filesize
668KB

Download
memory/4744-99-0x0000000075000000-0x00000000750BD000-memory.dmp

Filesize
756KB

Download
memory/4744-100-0x0000000074F80000-0x0000000074FFE000-memory.dmp

Filesize
504KB

Download
memory/4744-77-0x00000000752E0000-0x00000000754EC000-memory.dmp

Filesize
2.0MB

Download
memory/4744-119-0x0000000000480000-0x0000000000866000-memory.dmp

Filesize
3.9MB

Download
memory/4744-120-0x00000000752E0000-0x00000000754EC000-memory.dmp

Filesize
2.0MB

Download
memory/4744-90-0x0000000000480000-0x0000000000866000-memory.dmp

Filesize
3.9MB

Download
memory/4744-129-0x0000000000480000-0x0000000000866000-memory.dmp

Filesize
3.9MB

Download
memory/4744-76-0x0000000075000000-0x00000000750BD000-memory.dmp

Filesize
756KB

Download
memory/4744-131-0x0000000000480000-0x0000000000866000-memory.dmp

Filesize
3.9MB

Download
memory/4744-132-0x00000000752E0000-0x00000000754EC000-memory.dmp

Filesize
2.0MB

Download
memory/4744-74-0x00000000752B0000-0x00000000752D1000-memory.dmp

Filesize
132KB

Download
memory/4744-143-0x0000000000480000-0x0000000000866000-memory.dmp

Filesize
3.9MB

Download
memory/4744-144-0x00000000752E0000-0x00000000754EC000-memory.dmp

Filesize
2.0MB

Download
memory/4744-155-0x0000000000480000-0x0000000000866000-memory.dmp

Filesize
3.9MB

Download
memory/4744-156-0x00000000752E0000-0x00000000754EC000-memory.dmp

Filesize
2.0MB

Download
memory/4744-166-0x0000000000480000-0x0000000000866000-memory.dmp

Filesize
3.9MB

Download
memory/4744-167-0x00000000752E0000-0x00000000754EC000-memory.dmp

Filesize
2.0MB

Download
memory/4744-175-0x0000000000480000-0x0000000000866000-memory.dmp

Filesize
3.9MB

Download
memory/4744-176-0x00000000752E0000-0x00000000754EC000-memory.dmp

Filesize
2.0MB

Download