192e859e260caded9576af772eef6bb1572040afaa9f184834f4a48bae0ffd63

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 23:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe
Size

199KB
MD5

e8bd09ee097a102f5c34ab8d07751993
SHA1

1c014224a5207f23e95e4bc00b9e79339f4fab83
SHA256

192e859e260caded9576af772eef6bb1572040afaa9f184834f4a48bae0ffd63
SHA512

c884893722461dcbad6bd55b37fc0ceb14581982d7c507c293fef544c8f03f92d5b3d9906f3a519e1024721163af666d6ec6a8b9049db6ccd11a497b850906a3
SSDEEP

3072:FHb/IORhuAKsACDnBWIG0LksqWcSD7nJ9YWzGXL2L/3hxrkUZqhx7Z75fYDSVnLD:FT+ds7PojSDLQWK72L/3EduDkLsg2IJ7

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe
1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe
1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 2644	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	28
PID 1296 wrote to memory of 2644	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	28
PID 1296 wrote to memory of 2644	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	28
PID 1296 wrote to memory of 2644	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	28
PID 1296 wrote to memory of 2408	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	30
PID 1296 wrote to memory of 2408	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	30
PID 1296 wrote to memory of 2408	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	30
PID 1296 wrote to memory of 2408	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	30
PID 1296 wrote to memory of 2332	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	31
PID 1296 wrote to memory of 2332	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	31
PID 1296 wrote to memory of 2332	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	31
PID 1296 wrote to memory of 2332	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	31
PID 1296 wrote to memory of 2724	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	33
PID 1296 wrote to memory of 2724	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	33
PID 1296 wrote to memory of 2724	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	33
PID 1296 wrote to memory of 2724	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	33
PID 1296 wrote to memory of 2776	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	34
PID 1296 wrote to memory of 2776	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	34
PID 1296 wrote to memory of 2776	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	34
PID 1296 wrote to memory of 2776	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	34
PID 1296 wrote to memory of 276	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	35
PID 1296 wrote to memory of 276	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	35
PID 1296 wrote to memory of 276	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	35
PID 1296 wrote to memory of 276	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	35
PID 1296 wrote to memory of 296	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	36
PID 1296 wrote to memory of 296	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	36
PID 1296 wrote to memory of 296	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	36
PID 1296 wrote to memory of 296	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	36
PID 1296 wrote to memory of 1368	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	37
PID 1296 wrote to memory of 1368	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	37
PID 1296 wrote to memory of 1368	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	37
PID 1296 wrote to memory of 1368	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	37
PID 1296 wrote to memory of 1456	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	38
PID 1296 wrote to memory of 1456	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	38
PID 1296 wrote to memory of 1456	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	38
PID 1296 wrote to memory of 1456	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	38
PID 1296 wrote to memory of 1336	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	40
PID 1296 wrote to memory of 1336	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	40
PID 1296 wrote to memory of 1336	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	40
PID 1296 wrote to memory of 1336	1296	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	40

C:\Users\Admin\AppData\Local\Temp\e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin4B7D.bat"
  2⤵
  PID:2644
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin1251.vbs"
  2⤵
  PID:2408
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin05AA.vbs"
  2⤵
  PID:2332
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinF994.vbs"
  2⤵
  PID:2724
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin1251.vbs"
  2⤵
  PID:2776
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin82E1.vbs"
  2⤵
  PID:276
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin69C5.vbs"
  2⤵
  PID:296
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinF994.vbs"
  2⤵
  PID:1368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin0CF4.bat"
  2⤵
  PID:1456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin460A.bat"
  2⤵
  PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\EB6FC013\cfg\1.ini

Filesize
1KB

MD5
8150f458ed6fb9b1db4e5cfa57a1a281

SHA1
6e5726854d28687b560d7fdcb5c782c425c7dfb9

SHA256
4c13d452dd5d49671bd93ca32f2b4f85c78e39b6ab0ad1f38d98ed267f8fd896

SHA512
4cc6a112673aef8bb8bb8a385c26791b805d43bb707b509880e894f1c83bab4e16f13de187036c5f660c3bec1d286258396b7bde65c5d7945c5019665196818c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB6FC013\Setup.exe

Filesize
15KB

MD5
035678cc2ee4ef2103a446286d1ad58b

SHA1
3d821e29e8a6a15a01bfb47c841fa7df221d861a

SHA256
58d2d8666e259b0326f86b9afd39656990ad84150a4b06fe14ebf9687b2b66e4

SHA512
2cc3f9ed8c4e37928662155613f7fca47cf6919ef31eaf0cefa9651ab6303f53f0973c43069f46f969abea125ba3e74964d8b1bd8a1ee7739d656c05833712c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB6FC013\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin05AA.vbs

Filesize
1KB

MD5
07ec365b741f4e67e04a4796a7d6ef4e

SHA1
e937ca1c0fb3eac697d97264681753d388a6cab4

SHA256
11679a37a214765a568cc3501ef848c3f55b08bffe9d00a75ad1a761a85fcc94

SHA512
1e637553354a5fd9d8b0560fe388be84a8c07d91eb3864b65e728c559932ae4eba7539e4637008104c761d212412aa1b7b01cb4e9ddd3ab927c22620f38062a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin0CF4.bat

Filesize
50B

MD5
c6ad6385612eae7539fe4364f567ddb6

SHA1
ad3c7349ef9594498ace46308e158861604e371c

SHA256
96d5005709a30488fe052a9cb5115b810cceaae56b759eb86098eb24d87dc70a

SHA512
8904e49e38b44f4de671a48e60a8735b0a04841878064d2f5424988e8e35beef05698687d43d1c9484af89ca50de9f54db56b9f3ea7bfbfbd7cf6875ca739778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin1251.vbs

Filesize
304B

MD5
4a2abaf5d668617daa04c0513352f584

SHA1
88dc5df3975e73981896166796186311061e84e6

SHA256
555400e492889cb5600048619da5e2b080d7f51825107d48838d1a0c7f5c6f6e

SHA512
9e1f71849f1a88059a9e3bf1042fd0c8fe456293351064dfd14943bf7e39c347b4ecae1d91e7816def359e184500bb2681e6b658315428459a2e8b18e1f53b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin460A.bat

Filesize
46B

MD5
7ea74d4b42e9684f17c3b4055d6ff994

SHA1
ecaba020756979dd2b48c58d6c69513ef5499a6c

SHA256
8f59dbf1b889aca1e187cd4c5eeb4ed6622a701bc373d3f07b1ad9a853f78a08

SHA512
f1ec69c579f33b3032552d95b2d36f3aa75bb66c29edd45b856c86bbc8cc319d7db8ee2fd55f3447649d21d73be29791484fc0e50b28912fb7554b9dc5c1047c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin4B7D.bat

Filesize
44B

MD5
9af15ed6e5abd009d9abbd8d918cbb13

SHA1
f601ead9d527415d766169af1a9c890f8b3170fc

SHA256
ffa926aad33aa86bda491e4164a453ae0ddc68974ffa3aec2920256b91cfdde3

SHA512
aa1f5fa84c5fc2ae2722d08a43c785935ce0208faceb0ec2c0cf534aeb5751d37ad0c677b1427f5481650b12681df697111485707dcddb2ca087fa8f8f2434f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin69C5.vbs

Filesize
819B

MD5
d2f4af12437f16273a9474e3e7ec994b

SHA1
83b64612c4404bec5cc811f2e34be64fc8bc2f33

SHA256
8684cecf4f2de3a88e9d34d95b22d3ea8133154a355cf02f62310d9295f411ef

SHA512
52e9195c5287ae027b60d6bb7945c2c486c31375d60ec408332bb212f0bac2c437c5ba3bf3093abe6e3806a3694b37decccc6a76d308e1b3524c823d72b08208

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin82E1.vbs

Filesize
419B

MD5
64388bc6abf354a50fdc4d4366278f55

SHA1
0b881fffb2e8daa3bf13676b5c067053bd85c78c

SHA256
7efab0cf4fc5aaf576d2970179102ba82fd047934bc24ee6bf837b8e11489e07

SHA512
4c9ccebe95c28fa927cf2d997fa990981f92eff875276a2b2f79dd3908b0b835541a63470626faf7706540bf9ac7acc27b8977002d6d9bb700c5fb5d5fa19520

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinF994.vbs

Filesize
2KB

MD5
ff63f4e52d0522e07b53133ba9fb30a3

SHA1
849b67590001cc22a6ff278a39086a8db464dee2

SHA256
809b1464cb4e687eba0dda77ca0a764405d06ad7b5db5c6e88b65e0e1977054f

SHA512
48c122295fdc918de8df0edd175e057c5ac5b6098d2d535b18bccbfb4b636b7c4b3460b461a3ee0bc37fbf89f94bff2002bb03cfbca8bd5f95f49ef9f31d7cbb

Download Submit
\Users\Admin\AppData\Local\Temp\EB6FC013\_Setup.dll

Filesize
70KB

MD5
f3948a2b841c38a80e7e77fab9969b54

SHA1
ea85ccbe5bfbffffea4937fd0279f58ea7cd9588

SHA256
6d65a95036f94f9be2137fa0d74173725dd1a3d5ddc7cc4145194c811e97f831

SHA512
0b0be388866b6882a627572275df0abcead380206f8476bcceeaa470179640d004a3a6bb9fd2d56b31a9221a4629eec22e8a94084b9b8a519b38c997dbb56121

Download Submit
\Users\Admin\AppData\Local\Temp\EB6FC013\_Setupx.dll

Filesize
16KB

MD5
a3e3a7c55dac05898f398f0ef4ef16fd

SHA1
2245eebc8ef1d3c1ae7f395ce168b0a93fb0f016

SHA256
25e262cf0f72f8e8bcd0bc6f4cabcd8dcf397ac027cce46ce8ac19511afabffe

SHA512
e7d8e21b6f40caccf519ba27895c09ae07ade7c82982265c249228ed0bd18179b6e25dedf2596e6be60db782d80cfeb014c43c5d25757c156d54fd5ae4193d90

Download Submit
\Users\Admin\AppData\Local\Temp\Tsu-0510.dll

Filesize
245KB

MD5
73ab2fa6713cd108c19b237df05c197f

SHA1
fbad732b255459afb999ee5382d03bb44888721b

SHA256
07c19489e709c64915cf3e1d418f9e215a9870ca1251ef00a5bfb8e10547d4e1

SHA512
0c863fb7007b9c60c19566044ce0a102b4a18fbb5b2921b043269731a9bb986a1fb799df70c04cc1bca9e46025962b6761f6693aa5c6a5d63d9be023724e0ebf

Download Submit