Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2024, 07:50

General

  • Target

    00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe

  • Size

    4.3MB

  • MD5

    00ce7682023686f4c1336fdcfccf50d2

  • SHA1

    9644ba92a81872785be50ea81de3a74eebd9fc10

  • SHA256

    4bcd7342dcbd048d14c7eadb7c42a467895ffacd5ebd8af69e9643d1866b3217

  • SHA512

    02b0785fc497700984fc477ca4cce8a13105341f7b4b1ee0287a0fa1d2797eb3ba1a8843715787348a34dcb6d5b87b02d8f48d657646dd7de30c02f26caba39b

  • SSDEEP

    98304:p7SpxSV7vi8Eody/CKKKXbEN5bB+PU+zWveiX:p7SpxGzi89dGV5g5b4VzXiX

Score
8/10

Malware Config

Signatures

  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\00ce7682023686f4c1336fdcfccf50d2_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\lettera\prog\ini.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K "C:\lettera\prog\ini.bat" HIDE-BOSS
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2488
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\lettera\prog\RunVBS.vbs"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2500
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\lettera\prog\ini.bat" BOSS"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2316
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f
              6⤵
                PID:2496
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f
                6⤵
                  PID:240
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f
                  6⤵
                    PID:2556
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\ /v VBAWarnings /t REG_DWORD /d 1 /f
                    6⤵
                      PID:2388
                    • C:\Windows\SysWOW64\reg.exe
                      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v TaskbarGlomLevel /t REG_DWORD /d 2 /f
                      6⤵
                        PID:2396

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\lettera\prog\RunVBS.vbs

                    Filesize

                    98B

                    MD5

                    6ba5f2c66500f7c255886fc8fe1024ce

                    SHA1

                    0b74e63957018f065e77c91ee1ca838480534e17

                    SHA256

                    fbfe882314562a3b734d59112b139e70ddd4ae91ef6292032b251ff368fa475d

                    SHA512

                    d594cf7dd31e46ea5e6c39d34c2e4b6e1241ef665367178346aaceafa073b379d0058c45e922ae12006ed8e4a72cae64ccde1f90fe228cc6ff7abccc552849b9

                  • C:\lettera\prog\ini.bat

                    Filesize

                    1KB

                    MD5

                    d9806cc5878f4c4df79094a771a57991

                    SHA1

                    635a7d4af9b43054b750e04ecdf14f17ec2b218f

                    SHA256

                    5cd72ab78086b4980871f5a5208909ee18e88498d28d7878d27a24d932536db0

                    SHA512

                    e051654a48dd1040d85aefc316f3c2a5e949600199f93e915e79cf874e2c2ea18062293678eeef85ceb69a25ca73f3ca617e94246893d09bc8f14b1edea64a6d

                  • \??\c:\lettera\prog\LETTRIBRS.exe

                    Filesize

                    2.9MB

                    MD5

                    936ae0760d92e80cbd5aef52950219f8

                    SHA1

                    048f390894bd63abdc2a9984c03818b55510ca5c

                    SHA256

                    747b3d3db26b9c9dbc05f60f786fb8a7fa14526e8be110b95cf7fb13807c1e2d

                    SHA512

                    449b4a4b470469eb0a88ad4ed5127be9fb9c34a4c0075e2298b5580a601f30166f17ada7842aa77c1b413c942b5563c9668cb258ca7b9d9cac805399be18f729

                  • \??\c:\lettera\prog\LETTRIBRS.xlsm

                    Filesize

                    7.1MB

                    MD5

                    880d94d79321d0ac19540779ec386f91

                    SHA1

                    28518b27e583cef182a77014c8b4becdccd558de

                    SHA256

                    293011f58b23fb22fd5b568e34593ea5712870616b0e60b1c0be2dac3c788566

                    SHA512

                    b6e461f9f3c0eb4e0282ee4f220197ba416c3793b9dffe42c4c5c86b8231adabc5bddda9d1267e57150b25b046e3faa4e7a0d81cedf0278a64c09b45aa55e939

                  • memory/1948-35-0x0000000000400000-0x0000000000443000-memory.dmp

                    Filesize

                    268KB