Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-03-2024 23:49

General

  • Target

    130eaea4dc821baa7927ba07ee7ede0c_JaffaCakes118.exe

  • Size

    20KB

  • MD5

    130eaea4dc821baa7927ba07ee7ede0c

  • SHA1

    72d95f31951a97bfa24cad8faa8a9061079c5b47

  • SHA256

    08539e3831c9d5f42dd913a6df1fb8146d2ba60bec231be6aa751c1f71100c04

  • SHA512

    326e98d1ea3d7f9c21a7a65469abf4e344c20d0db06facdeef69b9db2bd84da45a94213eb20e7d8604cc286547878822fb0079b37cef6392300b1d37a94c1e35

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4PSJW:hDXWipuE+K3/SSHgxmHZPS4

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\130eaea4dc821baa7927ba07ee7ede0c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\130eaea4dc821baa7927ba07ee7ede0c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Users\Admin\AppData\Local\Temp\DEMC9E.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMC9E.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Users\Admin\AppData\Local\Temp\DEM61EE.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM61EE.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Users\Admin\AppData\Local\Temp\DEMB74E.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMB74E.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1432
          • C:\Users\Admin\AppData\Local\Temp\DEMD4A.exe
            "C:\Users\Admin\AppData\Local\Temp\DEMD4A.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1528
            • C:\Users\Admin\AppData\Local\Temp\DEM62B9.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM62B9.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2832
              • C:\Users\Admin\AppData\Local\Temp\DEMB7EA.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMB7EA.exe"
                7⤵
                • Executes dropped EXE
                PID:2068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM61EE.exe

    Filesize

    20KB

    MD5

    3bdea5e311644dffb86c3dbb3db07c48

    SHA1

    8bd49ce71c8cb1753e1cf7c0155f53597a231cb3

    SHA256

    bd1d860385d034679dcfc290050dcbd6056abffb9c374f86383fbe228dde294c

    SHA512

    4d01de0cf27379423b4b3fe9e535adb249b7bcc9f1b8271e3af4f0e377f458fcc63db2c078ef5a1c46bb9c9e1d83df477bc091ed5b45c3cc92dbb3015634c4b8

  • C:\Users\Admin\AppData\Local\Temp\DEMC9E.exe

    Filesize

    20KB

    MD5

    c34bd6f2cc40708b1b6a9edba8b801ae

    SHA1

    0a8b360afca7368018dd53aa502bd023a504ec21

    SHA256

    04aab92bdd08d72654af4366e93ff939c1546c7ab6cd0646fa7ef81a1b632177

    SHA512

    d052cc6082cd00610ebea6f0ec95ffc03cbf3a528978d2ade707edd62e519f29525c0c44befca51bbe6dac64bac3dd350a7eff5368f07c14421a274b152386d8

  • \Users\Admin\AppData\Local\Temp\DEM62B9.exe

    Filesize

    20KB

    MD5

    46a8e5d443914a2bb71a37c7142c6e48

    SHA1

    6c1429a6ace4132692fc8339a03ea17fd904dced

    SHA256

    244d5ddacf36aa50b8d967c99a90a5510acd543df894755f2d1f112b77285897

    SHA512

    8830d0ff25992c34964f75c89e2ffad995b1d03d14feb5e4b4f6c5eb8e2fd8aac1a100c2ecbfa6843128c98a58d3af01573fa2868662ab3c32515bb2948beabd

  • \Users\Admin\AppData\Local\Temp\DEMB74E.exe

    Filesize

    20KB

    MD5

    7b323716774426e2133fa04900a48fa5

    SHA1

    e9020c075a6acb3a64661addf1b4f638ca91adec

    SHA256

    1bb6a41981ee9d3f4ac11b99faca2e893ef338bc311a7fbb6792b0386bd46e5a

    SHA512

    63873b23bd5c3766e1ce59a8fda3ace1058f5c26b759948061ae745f8d7bdeb692745e4ec2207490c84912efb9f85a45e77b7bf8dbbf39334248d755910570ce

  • \Users\Admin\AppData\Local\Temp\DEMB7EA.exe

    Filesize

    20KB

    MD5

    4968cc1cff31bd255d30eb721b2b0aa5

    SHA1

    64d5c1d2f7eed5702fdfa5b7143e1dfc68a62bf9

    SHA256

    349e2cb896127b268b3fff510abc1daf34920ac3b99357f09cf1a21d72ab7d95

    SHA512

    5e77e4946f55a5950ecc9a94496c1e44bfab4b30e8d178344a9c76b9b8cb628950e4e74557f1d3074d1989d740ce6a60c4579a049287f32bc8e9886e28d52987

  • \Users\Admin\AppData\Local\Temp\DEMD4A.exe

    Filesize

    20KB

    MD5

    d187cf67f07c8c901b29f8df62d6a9b2

    SHA1

    e21b3c8c4a9be64224cce8fbc2ba9e788719fc2e

    SHA256

    40152ab15045963f80d8cf1395cca82ddd729238df8adc50ef261cf4aa7b1d61

    SHA512

    ab7d443a8a16c8fe8d37ed1f99c67a9377ac69dbd3ea753a04c4d762545b6f03598e4d0afc8b9311e58cd69298ccebf63b69ea7e460927a28a6855502faf8c3e