044008d32b4212fe4c72a5a481dc492838bda8cd648df4e0e3a5ff14cb37910e

Analysis

max time kernel
4s
max time network
81s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cdcf9dbfc333ad250d68f77c7469da7_JaffaCakes118.exe
Size

30KB
MD5

0cdcf9dbfc333ad250d68f77c7469da7
SHA1

e4a984e1908dbd7d81c046eada64d5b8de4523e5
SHA256

044008d32b4212fe4c72a5a481dc492838bda8cd648df4e0e3a5ff14cb37910e
SHA512

96a2b9250e9186752f9cf06a46c68d78c8c022b451bf6f01ed965c6f7e9435f899ff8ee1180d5e680e0c7a1622b5e4f4ca250f5f80004549397159fe06879bd7
SSDEEP

384:Y9Icz3kBWTHdGav99999999yi9wKKCMfxrZYkdzYHQ+GBgqPKmco:YRDzv99999999yiuKKCMfxrZY2+GmgCo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2164	hhcbrnaff.exe

Loads dropped DLL 1 IoCs

pid	Process
2336	0cdcf9dbfc333ad250d68f77c7469da7_JaffaCakes118.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2164	2336	0cdcf9dbfc333ad250d68f77c7469da7_JaffaCakes118.exe	28
PID 2336 wrote to memory of 2164	2336	0cdcf9dbfc333ad250d68f77c7469da7_JaffaCakes118.exe	28
PID 2336 wrote to memory of 2164	2336	0cdcf9dbfc333ad250d68f77c7469da7_JaffaCakes118.exe	28
PID 2336 wrote to memory of 2164	2336	0cdcf9dbfc333ad250d68f77c7469da7_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0cdcf9dbfc333ad250d68f77c7469da7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cdcf9dbfc333ad250d68f77c7469da7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
  "C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"
  2⤵
  - Executes dropped EXE
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe

Filesize
30KB

MD5
d05917c45e352e92ee5156196dbbc99c

SHA1
73353561ec3dc7a743f70fdf9faec08924370a1e

SHA256
2089d21175d065477c5d6fefeb206d72bab70aec043e9ac81786a91b17ef5d8b

SHA512
13bc391e04c2821f9fefe460f1150dde6c81e9f87386bf26abc6e5b1cd90b4b3b95f5ebe7be5f67c16a643ca6a61c822450d4503db19c45e92fa97e51b063eb3

Download Submit
memory/2164-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2164-15-0x0000000002AB0000-0x0000000002EB0000-memory.dmp

Filesize
4.0MB

Download
memory/2164-16-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2336-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2336-1-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2336-3-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2336-4-0x0000000002B00000-0x0000000002F00000-memory.dmp

Filesize
4.0MB

Download
memory/2336-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2336-8-0x0000000002F60000-0x0000000002F6A000-memory.dmp

Filesize
40KB

Download