Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2024, 18:56

General

  • Target

    2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe

  • Size

    16KB

  • MD5

    2a199d6f1d78544b189a3039a2e5327f

  • SHA1

    aabe548e2279b1d62a0c05f1e9e248dcb8b77300

  • SHA256

    1c0fb95388f6abdda01a52b238868e4be0716a3fc30e3f32aeb4c0695d3f085f

  • SHA512

    b29a416d097fabf1d406107f48dd1f9767450da94a58629c96bf9f2b3b4f474e88eaf71565985b4c8a3a65ff6c897f6f9c527df254f3f9caf14b0e5ad30fe3cd

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYlY2d:hDXWipuE+K3/SSHgxmlYu

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2a199d6f1d78544b189a3039a2e5327f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Users\Admin\AppData\Local\Temp\DEM10E2.exe
      "C:\Users\Admin\AppData\Local\Temp\DEM10E2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Users\Admin\AppData\Local\Temp\DEM6680.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM6680.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Users\Admin\AppData\Local\Temp\DEMBC8B.exe
          "C:\Users\Admin\AppData\Local\Temp\DEMBC8B.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Users\Admin\AppData\Local\Temp\DEM11DC.exe
            "C:\Users\Admin\AppData\Local\Temp\DEM11DC.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2320
            • C:\Users\Admin\AppData\Local\Temp\DEM671C.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM671C.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1364
              • C:\Users\Admin\AppData\Local\Temp\DEMBC4D.exe
                "C:\Users\Admin\AppData\Local\Temp\DEMBC4D.exe"
                7⤵
                • Executes dropped EXE
                PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM11DC.exe

    Filesize

    16KB

    MD5

    4f580111965e4033377e90d736a637be

    SHA1

    8b1afef6b392dac31bc071144141cb0224ba9ee7

    SHA256

    87b64c5663657c34009616618a790688af7835ac9f20c2125185174f26114924

    SHA512

    6c13357fcf34a153660cd4123f06463bcb073a4d56e142768377b2e24eeb360d584fda3c036802997235cb345cf786fc19c789ac55d8f012452ebb209d3ee195

  • C:\Users\Admin\AppData\Local\Temp\DEM6680.exe

    Filesize

    16KB

    MD5

    f622aaf0d0bb1221b5e461bc399f5628

    SHA1

    ec207c017570a17519e336ee6f38d6824315e7e2

    SHA256

    9bc833fd9d8ea867e2003e14ea8ec0a5c6ce2e629090c7f35dc6b40b3ce84a43

    SHA512

    5ffdd0515d42ecbae676a7516e39eac31bb311da29c42c9124e62b52f1a24d68ce87dfa9428ba5d706af7eafacb96018ab41d89a43ca06f9416694a6bcfe9813

  • C:\Users\Admin\AppData\Local\Temp\DEMBC4D.exe

    Filesize

    16KB

    MD5

    5c34dc96755d80a3c025930c9e7ced76

    SHA1

    77da55bdfee4fd7a36cbdfb6066150f26de8f469

    SHA256

    ad1db3c9e3d02f68fef5209d9f7de67cc2848a1a10833292bcb24abae620f2b1

    SHA512

    49c9ff88024e23faaf4f6a24a7cf36c2cae3a57f027d58ec1221efd5583b5c0102404a5ab9ee5b4c4cbaecc1af7891acc001639a5b0d30e09588c4696662b39a

  • \Users\Admin\AppData\Local\Temp\DEM10E2.exe

    Filesize

    16KB

    MD5

    e11bb021eeb805dea2b7d1e3e9042692

    SHA1

    63a18a1786aae9108fa60446b63a37a67f9c99f2

    SHA256

    86b53142f656d7ad5368851e754902236f69d9e859647a3a151432d0b9246a9a

    SHA512

    15ac808a5930b9cada19efede569de21a0559f5b864b20633a82d03c66b357b7a1e4067715271d142bb9f7776c67a5c5c078c159a534596c3b16b3297d76028a

  • \Users\Admin\AppData\Local\Temp\DEM671C.exe

    Filesize

    16KB

    MD5

    fd5a1fa5f0e87e02ec5d286cbf502aa1

    SHA1

    dcf325d5ac7cc6780059f1e447e4e96b344130b1

    SHA256

    4aa1d651a22d09d36b047e4a2969f5c7311fef2ef618289280d78e748a2471e0

    SHA512

    344360b6b77e4deca9421bf961e58287db9d6e44f733f2e487090c96f6c6982cd85bcc84c8e5bfad4905d2aa5aa9b880e08fd37e322d73f9a2dc37467426eaec

  • \Users\Admin\AppData\Local\Temp\DEMBC8B.exe

    Filesize

    16KB

    MD5

    69d07ef0a49b819af2f29845ef926eb3

    SHA1

    c42e288c538238b16422d1101245b804d1c36e55

    SHA256

    c95e6e4e17f4d9a50ff0f3c75f6e76d1a8a5fd1feb2e957879f47292a843ef82

    SHA512

    dc768bb226272dbb90126fc3fbe5adc655a5444df64732844b07f304a12b73b383cffbfb16d1480b083ef1362e3801f747893b137775b1d166e7903125db8967