67d1a4564a990ed28a2010d8713baaff60c3f3ff6d7daa8b5443d920b086a7e0

Analysis

max time kernel
93s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 13:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eb2cba75bd7123a159f5eb6a9991411d_JaffaCakes118.exe
Size

907KB
MD5

eb2cba75bd7123a159f5eb6a9991411d
SHA1

61e9a7b8f87ce1e35424e4786ef4b3beee86cfa8
SHA256

67d1a4564a990ed28a2010d8713baaff60c3f3ff6d7daa8b5443d920b086a7e0
SHA512

ffc5981fa63631d261215831fcadf097a06aba5cc6405ba53e855bab409626dec82cc475ba8347e8821afa0e838bcc6a06b7fddb21b721c893971d14baa3cb09
SSDEEP

24576:D6K7fowWt91jrCywHv9HY/rrkkIW9S9Ma/ZS1:Dx7fxW/jUY/rrxIW9LgS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1336	eb2cba75bd7123a159f5eb6a9991411d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1336	eb2cba75bd7123a159f5eb6a9991411d_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4792	eb2cba75bd7123a159f5eb6a9991411d_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4792	eb2cba75bd7123a159f5eb6a9991411d_JaffaCakes118.exe
1336	eb2cba75bd7123a159f5eb6a9991411d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 1336	4792	eb2cba75bd7123a159f5eb6a9991411d_JaffaCakes118.exe	87
PID 4792 wrote to memory of 1336	4792	eb2cba75bd7123a159f5eb6a9991411d_JaffaCakes118.exe	87
PID 4792 wrote to memory of 1336	4792	eb2cba75bd7123a159f5eb6a9991411d_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\eb2cba75bd7123a159f5eb6a9991411d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb2cba75bd7123a159f5eb6a9991411d_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\AppData\Local\Temp\eb2cba75bd7123a159f5eb6a9991411d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\eb2cba75bd7123a159f5eb6a9991411d_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eb2cba75bd7123a159f5eb6a9991411d_JaffaCakes118.exe

Filesize
907KB

MD5
10e658c53cab5488a88040beec39a540

SHA1
e3e674b7fa1293d9936923799c69918e83117117

SHA256
42d05eba7c02ab7bd2038ba658a78080679bd58f69e156269ac1ce58a938e2dc

SHA512
d45b0497a63a9caa0e6db0164d38788c206dc9a96bbb8db34613f8e232090a954bae49148784c131b0ffe65cd48cd91546be8a0fbbe6e9980648b90337186efd

Download Submit
memory/1336-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1336-14-0x00000000015B0000-0x0000000001698000-memory.dmp

Filesize
928KB

Download
memory/1336-20-0x0000000005080000-0x000000000513B000-memory.dmp

Filesize
748KB

Download
memory/1336-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1336-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1336-33-0x000000000CA00000-0x000000000CA98000-memory.dmp

Filesize
608KB

Download
memory/4792-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4792-1-0x00000000015B0000-0x0000000001698000-memory.dmp

Filesize
928KB

Download
memory/4792-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4792-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download