2e0299ea26c508c354d02c7673953512195df45279707152d592847a2958cc54

Analysis

max time kernel
3s
max time network
71s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d05eab163a8319bc9177ad85fa3a13c7_JaffaCakes118.exe
Size

9KB
MD5

d05eab163a8319bc9177ad85fa3a13c7
SHA1

79688d8f4aab727c131cb1c1e8b58cd3cdd882ac
SHA256

2e0299ea26c508c354d02c7673953512195df45279707152d592847a2958cc54
SHA512

27b30d187bd957e95e0c1eb3105422c3caad04214a39016018d35eb3a309ddadc79aeff47ca68a2ec648ff9e71449f613e823b163580cb6912b4c6f003dcba71
SSDEEP

96:Xk2ajp57NHzuHnnwR2UDCtlaJk9xzEPfBo4hOCVQzB2xvX7CV+ppfbWTVVVgx:9wunwR2bV3Oiy+wzn

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1936	quity.exe

Loads dropped DLL 1 IoCs

pid	Process
2696	d05eab163a8319bc9177ad85fa3a13c7_JaffaCakes118.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 1936	2696	d05eab163a8319bc9177ad85fa3a13c7_JaffaCakes118.exe	28
PID 2696 wrote to memory of 1936	2696	d05eab163a8319bc9177ad85fa3a13c7_JaffaCakes118.exe	28
PID 2696 wrote to memory of 1936	2696	d05eab163a8319bc9177ad85fa3a13c7_JaffaCakes118.exe	28
PID 2696 wrote to memory of 1936	2696	d05eab163a8319bc9177ad85fa3a13c7_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\d05eab163a8319bc9177ad85fa3a13c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d05eab163a8319bc9177ad85fa3a13c7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\quity.exe
  "C:\Users\Admin\AppData\Local\Temp\quity.exe"
  2⤵
  - Executes dropped EXE
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\quity.exe

Filesize
9KB

MD5
a4da1f5d1599974c26df69971486f1fc

SHA1
ee6d785211c8f8a972d09aec354e1f9dbe50833a

SHA256
65bd20f5b13649844edd6882956cd8916a1ff799972c51fb8664c46c2e1b79bf

SHA512
6c43684e6d663e6d8307b7f9fde604cb435841a980797af8ea31c33ec88d8ee6a46385de49fbddf6e7d789daa71b98de6d6eeef86c6177213a542d0c582d2886

Download Submit