192e859e260caded9576af772eef6bb1572040afaa9f184834f4a48bae0ffd63

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 23:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe
Size

199KB
MD5

e8bd09ee097a102f5c34ab8d07751993
SHA1

1c014224a5207f23e95e4bc00b9e79339f4fab83
SHA256

192e859e260caded9576af772eef6bb1572040afaa9f184834f4a48bae0ffd63
SHA512

c884893722461dcbad6bd55b37fc0ceb14581982d7c507c293fef544c8f03f92d5b3d9906f3a519e1024721163af666d6ec6a8b9049db6ccd11a497b850906a3
SSDEEP

3072:FHb/IORhuAKsACDnBWIG0LksqWcSD7nJ9YWzGXL2L/3hxrkUZqhx7Z75fYDSVnLD:FT+ds7PojSDLQWK72L/3EduDkLsg2IJ7

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe
4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe
4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 2504	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	88
PID 4728 wrote to memory of 2504	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	88
PID 4728 wrote to memory of 2504	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	88
PID 4728 wrote to memory of 3048	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	92
PID 4728 wrote to memory of 3048	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	92
PID 4728 wrote to memory of 3048	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	92
PID 4728 wrote to memory of 1012	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	93
PID 4728 wrote to memory of 1012	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	93
PID 4728 wrote to memory of 1012	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	93
PID 4728 wrote to memory of 4676	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	95
PID 4728 wrote to memory of 4676	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	95
PID 4728 wrote to memory of 4676	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	95
PID 4728 wrote to memory of 3180	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	96
PID 4728 wrote to memory of 3180	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	96
PID 4728 wrote to memory of 3180	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	96
PID 4728 wrote to memory of 3312	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	97
PID 4728 wrote to memory of 3312	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	97
PID 4728 wrote to memory of 3312	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	97
PID 4728 wrote to memory of 4492	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	98
PID 4728 wrote to memory of 4492	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	98
PID 4728 wrote to memory of 4492	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	98
PID 4728 wrote to memory of 2704	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	99
PID 4728 wrote to memory of 2704	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	99
PID 4728 wrote to memory of 2704	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	99
PID 4728 wrote to memory of 676	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	100
PID 4728 wrote to memory of 676	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	100
PID 4728 wrote to memory of 676	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	100
PID 4728 wrote to memory of 3308	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	102
PID 4728 wrote to memory of 3308	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	102
PID 4728 wrote to memory of 3308	4728	e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe	102

C:\Users\Admin\AppData\Local\Temp\e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8bd09ee097a102f5c34ab8d07751993_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin4B7D.bat"
  2⤵
  PID:2504
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin1251.vbs"
  2⤵
  PID:3048
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin05AA.vbs"
  2⤵
  PID:1012
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinF994.vbs"
  2⤵
  PID:4676
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin1251.vbs"
  2⤵
  PID:3180
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin82E1.vbs"
  2⤵
  PID:3312
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin69C5.vbs"
  2⤵
  PID:4492
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinF994.vbs"
  2⤵
  PID:2704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin0CF4.bat"
  2⤵
  PID:676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin460A.bat"
  2⤵
  PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InstallMate\C72CF973\cfg\1.ini

Filesize
1KB

MD5
8150f458ed6fb9b1db4e5cfa57a1a281

SHA1
6e5726854d28687b560d7fdcb5c782c425c7dfb9

SHA256
4c13d452dd5d49671bd93ca32f2b4f85c78e39b6ab0ad1f38d98ed267f8fd896

SHA512
4cc6a112673aef8bb8bb8a385c26791b805d43bb707b509880e894f1c83bab4e16f13de187036c5f660c3bec1d286258396b7bde65c5d7945c5019665196818c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C72CF973\Setup.exe

Filesize
15KB

MD5
035678cc2ee4ef2103a446286d1ad58b

SHA1
3d821e29e8a6a15a01bfb47c841fa7df221d861a

SHA256
58d2d8666e259b0326f86b9afd39656990ad84150a4b06fe14ebf9687b2b66e4

SHA512
2cc3f9ed8c4e37928662155613f7fca47cf6919ef31eaf0cefa9651ab6303f53f0973c43069f46f969abea125ba3e74964d8b1bd8a1ee7739d656c05833712c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C72CF973\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
C:\Users\Admin\AppData\Local\Temp\C72CF973\_Setup.dll

Filesize
70KB

MD5
f3948a2b841c38a80e7e77fab9969b54

SHA1
ea85ccbe5bfbffffea4937fd0279f58ea7cd9588

SHA256
6d65a95036f94f9be2137fa0d74173725dd1a3d5ddc7cc4145194c811e97f831

SHA512
0b0be388866b6882a627572275df0abcead380206f8476bcceeaa470179640d004a3a6bb9fd2d56b31a9221a4629eec22e8a94084b9b8a519b38c997dbb56121

Download Submit
C:\Users\Admin\AppData\Local\Temp\C72CF973\_Setupx.dll

Filesize
16KB

MD5
a3e3a7c55dac05898f398f0ef4ef16fd

SHA1
2245eebc8ef1d3c1ae7f395ce168b0a93fb0f016

SHA256
25e262cf0f72f8e8bcd0bc6f4cabcd8dcf397ac027cce46ce8ac19511afabffe

SHA512
e7d8e21b6f40caccf519ba27895c09ae07ade7c82982265c249228ed0bd18179b6e25dedf2596e6be60db782d80cfeb014c43c5d25757c156d54fd5ae4193d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsu-1278.dll

Filesize
245KB

MD5
73ab2fa6713cd108c19b237df05c197f

SHA1
fbad732b255459afb999ee5382d03bb44888721b

SHA256
07c19489e709c64915cf3e1d418f9e215a9870ca1251ef00a5bfb8e10547d4e1

SHA512
0c863fb7007b9c60c19566044ce0a102b4a18fbb5b2921b043269731a9bb986a1fb799df70c04cc1bca9e46025962b6761f6693aa5c6a5d63d9be023724e0ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin05AA.vbs

Filesize
1KB

MD5
7fcbdeb526c0b50f3b964376194a909f

SHA1
2c50c19ca304e5867bd94fff62b17cba2d9cfc2c

SHA256
b2744b2df9e8d5b336203ff1dbf45447ae5abc07a37ce2e8c2dbe28f2b02bcf4

SHA512
4371da42cb155d600788729ff5578b83552dd91715566a5011ceac81dc6072f288f531f998d3dc6339d7d1ab2c4b59164c4fd5e83544c557682520046efe9661

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin0CF4.bat

Filesize
50B

MD5
f63272182f0ab68aaa3a4a68fc6efd3f

SHA1
a8cacb736d4d2b1b92ebb5a96ae508f735cbeb46

SHA256
6a7da3291bae369eea9bca5d88adccc180cf7f6fc24fcefcf9d7f4b23e8a7add

SHA512
01704f6366a1f68da3d638e81872803eacd7572dbbcf515f27d125614c0b079f37dd8f851d442065f1ce8a2cf17255d607a80441acf018b37192aafeefef4b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin1251.vbs

Filesize
304B

MD5
56f792c807682d7a87acfbbbc6fd82a4

SHA1
6499fa79ba9457f6fcd686a9026315b59903e313

SHA256
3e73048ec05cbdd483f302122137501c424bb6d35e668339c990d25300c38e48

SHA512
deed087e9e493786ec19175c4836a4ddfaeb1fff18c02db18292230e16372b68a35218c6c961eda51ad1eec760d8cd7174524f9e9dc28597034823796ea1fa68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin460A.bat

Filesize
46B

MD5
b43c40cd61b0afa9e7bfce2db806abc2

SHA1
17da1a2ce1663c6ba8660221349e61b96f937833

SHA256
15c213338e11aa1181289a41c870ad3984e2f9fd5b94f5f82be426086bcb5ce9

SHA512
9ae26eef72cf632e6b166f635f40951438dea5b0be21dc258583589659a425db825a6203b94307cfa1d422483aef702557d0437d90db4424067eb09bb29f7b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin4B7D.bat

Filesize
44B

MD5
f381f789212eda4eb79c21f264e02744

SHA1
2724b4500117ad8410df9c6bc7dde5e19fb1a526

SHA256
9bdb2245cf9c0c3fd080efeda420d13ed660e082e20b4ee24e7cd96b4088e1ab

SHA512
c6d1989d71df55226770db1606e7f8a5ce39da707283ecaafd6c57548f0423cd9633729b9c1e5d9707b6477e4e321069dcc9db6be30469660fc3d5dfe7a1a08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin69C5.vbs

Filesize
819B

MD5
a470de75ab1291bc7c8c2f2de5da6fc5

SHA1
7ca32517e71114b0918f2a7ba0cb90684c4ae5e8

SHA256
5ac6cbb4853d3eefc647beeb1c2c6358e4e4be716ed542c83522750ac5c211d6

SHA512
22416b78e8f1a8fce68fd40fb1da32a17d0fd4cfc7de501bbccc7c74d6980133ed3d491e54da0c5484a0b1d3b094313c19af745fd108db895385e2da57c014bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin82E1.vbs

Filesize
419B

MD5
6051d62ab92acde563fb4d7e0b451804

SHA1
97a82498272a7915b4cd018e4c6a44031505849c

SHA256
ca9ad990a24492b9485b23b412c0e5f263866ee6ab4152f268aa54632b5e9d81

SHA512
32a0533cca1197f254f95b267081df87b0ced3b80b84788310cbe56b88b6b33822628348bb7cb5edfaa357d2cf30b5739c8919967ce8be63b2660b2d66eb1f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinF994.vbs

Filesize
2KB

MD5
8ac080e8d34b1f5e0e065c844c406193

SHA1
1f89c6db52f0d5a1bf2e2b4fd03632cc15055957

SHA256
8d2663985ca94ccf32096f5b02a816837dd66784fced56a97cd337a27d0c2be1

SHA512
71514865b366629dd99723a0ce3d0d5a92e27d0cef9b5a28d7e22d38dccc6d4746f83a6f7761191ff2fbaaea2feaabfdd78173cd813e0d7cedbc6be492dd382d

Download Submit