3174fe3dd420fa157e715d7bf44f3cbf13b3300930978de2d6673f569c3aad86

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e1b86443305d92521921c0db7931f19_JaffaCakes118.exe
Size

6.2MB
MD5

1e1b86443305d92521921c0db7931f19
SHA1

f87a4f66acf2b5d073065758000c8dd5eae063d8
SHA256

3174fe3dd420fa157e715d7bf44f3cbf13b3300930978de2d6673f569c3aad86
SHA512

54b15ff2bfb52a0de2ab4ce0248d8e79ee2d7295ed53c680b1d87287dc9ee596107552aa5848e5a89dd9212ecf557c15ae061d0cbb258c80bc88a121ef9ceef1
SSDEEP

196608:9WWjrxDkYfj+uwyzYRUlh+vzWnoHavRfuOz9:9N3i+z2UlQzWoHMduOp

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2664	2340	1e1b86443305d92521921c0db7931f19_JaffaCakes118.exe	28
PID 2340 wrote to memory of 2664	2340	1e1b86443305d92521921c0db7931f19_JaffaCakes118.exe	28
PID 2340 wrote to memory of 2664	2340	1e1b86443305d92521921c0db7931f19_JaffaCakes118.exe	28
PID 2340 wrote to memory of 2664	2340	1e1b86443305d92521921c0db7931f19_JaffaCakes118.exe	28
PID 2340 wrote to memory of 2664	2340	1e1b86443305d92521921c0db7931f19_JaffaCakes118.exe	28
PID 2340 wrote to memory of 2664	2340	1e1b86443305d92521921c0db7931f19_JaffaCakes118.exe	28
PID 2340 wrote to memory of 2664	2340	1e1b86443305d92521921c0db7931f19_JaffaCakes118.exe	28
PID 2664 wrote to memory of 2040	2664	WScript.exe	29
PID 2664 wrote to memory of 2040	2664	WScript.exe	29
PID 2664 wrote to memory of 2040	2664	WScript.exe	29
PID 2664 wrote to memory of 2040	2664	WScript.exe	29
PID 2664 wrote to memory of 2040	2664	WScript.exe	29
PID 2664 wrote to memory of 2040	2664	WScript.exe	29
PID 2664 wrote to memory of 2040	2664	WScript.exe	29

C:\Users\Admin\AppData\Local\Temp\1e1b86443305d92521921c0db7931f19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1e1b86443305d92521921c0db7931f19_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.bat" "
    3⤵
    PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\014.tmp

Filesize
83B

MD5
ef29134d5abb8d5676b6e5ad42469fbd

SHA1
c2705afa4180a812df522602e06836f2e04d60c9

SHA256
4ba286a2580a2a2b7ee696b13b0a04b59f82b04d5441b50d715a1c5f860e5253

SHA512
073989a74f1dd1b15e4298edd8b94c1733da8096997b8055c294789e671f11de07ade856fc15b66614f526975dc7b18994e151a37b9b257002046c43baf2f206

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.bat

Filesize
133B

MD5
d4ccfb17eb96faa61e610331702be48e

SHA1
6cd206ad95e1747797853790113697eaacabcd7a

SHA256
aba97f7dfc9e9b7106d70d05bb385ebb1e6fcf111b290608fb54d2d18879f450

SHA512
a2d650c0b920de3b054dae4502683d45b65e6482e79e3451b44185e144c2e027c21246245ae914d065a4bedb462efbe99a7a2a704bf13a3e6561d02a87bef310

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs

Filesize
81B

MD5
9b0a98146b081c9359c91be85c61e6d0

SHA1
a9bbdd5f048f35f83af31ffad76dfad444039706

SHA256
6a6e408a620e9281d17967a4a5d34548d090831cbea463aabf0f66f68b623dd5

SHA512
2dd70246f91d5d8254e10200342a1460f22731e8343ccdd1d807e39a51f191629bd1b8dce9b91c22f444a533624e81876437df10632d41d2762ad8e9f9854067

Download Submit