02cc514ca6b10e2ac87a6926d0f962d0156e89a2b6ae21e2c177c9e09e8bd689

Analysis

max time kernel
93s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e78730d6016835d4303e1d187bed9501_JaffaCakes118.exe
Size

907KB
MD5

e78730d6016835d4303e1d187bed9501
SHA1

a3c7bb17cf4bdae87013363dfc1aef405d67ab0e
SHA256

02cc514ca6b10e2ac87a6926d0f962d0156e89a2b6ae21e2c177c9e09e8bd689
SHA512

8b91f811f6909f0dcd03b8211d25f558d32d6157e7c6ab053d1aa6f36e98ec956911bcb729a8cdde665034c5ae72870b914d01c5307f10765f9adbe373d16409
SSDEEP

24576:6JOaH1AIxWGFXSZ+mnSFYg1Z6RVha/ZS1:YH1AIAG4TaZ6RVhgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4360	e78730d6016835d4303e1d187bed9501_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4360	e78730d6016835d4303e1d187bed9501_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4464	e78730d6016835d4303e1d187bed9501_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4464	e78730d6016835d4303e1d187bed9501_JaffaCakes118.exe
4360	e78730d6016835d4303e1d187bed9501_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 4360	4464	e78730d6016835d4303e1d187bed9501_JaffaCakes118.exe	87
PID 4464 wrote to memory of 4360	4464	e78730d6016835d4303e1d187bed9501_JaffaCakes118.exe	87
PID 4464 wrote to memory of 4360	4464	e78730d6016835d4303e1d187bed9501_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\e78730d6016835d4303e1d187bed9501_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e78730d6016835d4303e1d187bed9501_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\e78730d6016835d4303e1d187bed9501_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e78730d6016835d4303e1d187bed9501_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e78730d6016835d4303e1d187bed9501_JaffaCakes118.exe

Filesize
907KB

MD5
db183ac600a2ce596c53d3fe1dd4d45c

SHA1
70372173140b2a159d444ad80e5ef7e4d05e4cbc

SHA256
3e8b7c7709e79f221386de87ffaefe79ac6f7c37be1c2680d5856b2c8071d1b5

SHA512
8e70c6295da5fa67dbaa36e86a260f4f9ff1a76c39df4dc9d8002cb68c16eab9eb4feea5f3ba046c3f0a4d0a9c48701f994ce03f46f325042e3a5cec39f0b789

Download Submit
memory/4360-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4360-14-0x0000000001830000-0x0000000001918000-memory.dmp

Filesize
928KB

Download
memory/4360-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4360-20-0x00000000050C0000-0x000000000517B000-memory.dmp

Filesize
748KB

Download
memory/4360-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4360-35-0x000000000DA20000-0x000000000DAB8000-memory.dmp

Filesize
608KB

Download
memory/4464-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4464-1-0x0000000001730000-0x0000000001818000-memory.dmp

Filesize
928KB

Download
memory/4464-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4464-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download