Analysis

  • max time kernel
    160s
  • max time network
    169s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/04/2024, 17:37

General

  • Target

    be84124151ed648b1b236e244142a92f_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    be84124151ed648b1b236e244142a92f

  • SHA1

    baa95fb4f850ed518cd3f8b2286b755734d84360

  • SHA256

    d79fac50d787b497de862322274d0541eb3095ec92fb66ae683ccd5360246869

  • SHA512

    12f9eab03c4b0804938f6a8a1e8ad9b795e8dd4cd4007e2bd7958e0576e54673b7b3b21861de18e6f539c61226b89ffb2537929f24c4eba553150952f5be8765

  • SSDEEP

    24576:6ArW/8hh0FQAq7c8nA7YMv3+DpBNPRI9ovlG4XozaEhptdPYfCG6bYVxXNVD8pVt:6e0mfW3YNPRRlG4saIprQNk

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\be84124151ed648b1b236e244142a92f_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
        PID:2696
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        2⤵
          PID:2700

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

              Filesize

              92B

              MD5

              2004bcee923b0e0222f4cab87c2c2a3d

              SHA1

              0a3c122b7cfe403403d913ecc1b328480b1bfc2a

              SHA256

              f92f08df2b65e2f5b5db141c99b098c8b077c0c853a1fd51bfcc6d40dc68ad77

              SHA512

              cae47a4dfdb942622ebca65d57e9d80c29cb299aa8c217983e34a51655c2e96ed26c7fa2fad978b6279ed4d3c8c0571e417c60152bf66a116f67d0fe38d6a445

            • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

              Filesize

              735B

              MD5

              15287e4b78ab920ea0081591f8106615

              SHA1

              a1628bd63201e179f636af77f3d58c9a1a4a97e2

              SHA256

              c4ea5abf1d82828f77819dfa7dc9b728206518cecc387f279b10bef2f4e10c3f

              SHA512

              6211fdb6eeb7dbd342e44f40ebfd73b415574ae76354d498887b44473c55b07656feb5709cee320a8a5f22f62931f4518136000e12065e0958d6eb46dae4f1a7

            • \Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

              Filesize

              1.1MB

              MD5

              f42eb169ae6fc4797d2bd10b409a4686

              SHA1

              7d4282523a4d1ec1ea02c0dc13124cb60bff2d9a

              SHA256

              5ec91e54b1beb2161a81c58e89ff56a90ff497b3efefa4d99cf930637bbd569a

              SHA512

              1ebfb4dd11371dc9e3affb731fe6ea51affa096c1a12c163555e5b18c32cf6ca545258c1a66d8421e6e44a066f541ec04fc6da85c3d9918945eb5a71e8b3fb95

            • memory/2984-0-0x0000000000400000-0x0000000000549000-memory.dmp

              Filesize

              1.3MB