b2a40e2d57a690db443740cb7c0c92c7de67fdd885eaccbea76918a49d43886a

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f237d81467076c00c5db9b4360758a4a_JaffaCakes118.exe
Size

385KB
MD5

f237d81467076c00c5db9b4360758a4a
SHA1

f75120ee2a3fe6833456481b9afacbd75b954a6d
SHA256

b2a40e2d57a690db443740cb7c0c92c7de67fdd885eaccbea76918a49d43886a
SHA512

d4cbee353779ace3a460a8fd4af5e67027c3da05c868e44d7cf6641223266b17a65885dfc37c3526e52bb22ad9a3c6d24b9297ecf93f5a66aaf85a975034c9c5
SSDEEP

12288:qNAP2dK3/GY/wTAPfacKyZBF2/Wo6E71aB:xUW/TPixQBo/BaB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
824	f237d81467076c00c5db9b4360758a4a_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
824	f237d81467076c00c5db9b4360758a4a_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	pastebin.com
14	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1448	f237d81467076c00c5db9b4360758a4a_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1448	f237d81467076c00c5db9b4360758a4a_JaffaCakes118.exe
824	f237d81467076c00c5db9b4360758a4a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 824	1448	f237d81467076c00c5db9b4360758a4a_JaffaCakes118.exe	84
PID 1448 wrote to memory of 824	1448	f237d81467076c00c5db9b4360758a4a_JaffaCakes118.exe	84
PID 1448 wrote to memory of 824	1448	f237d81467076c00c5db9b4360758a4a_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\f237d81467076c00c5db9b4360758a4a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f237d81467076c00c5db9b4360758a4a_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\f237d81467076c00c5db9b4360758a4a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f237d81467076c00c5db9b4360758a4a_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f237d81467076c00c5db9b4360758a4a_JaffaCakes118.exe

Filesize
385KB

MD5
7163ba054df255665d4047a574ba313b

SHA1
0a942d946eab679796c56b18324a3cffb4ea0c38

SHA256
54805fa104bc2a72148c76916d3e6832548f6f8f4567f15e72147683002bb5ad

SHA512
3ab1bbafa62863c585d8369438e28b9291c5138936ce3de4a5759e6968300cd609debdb83cec95f321e136af4fc5d26765a139e9fda4920b735801c89edec987

Download Submit
memory/824-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/824-14-0x0000000001600000-0x0000000001666000-memory.dmp

Filesize
408KB

Download
memory/824-20-0x0000000004E90000-0x0000000004EEF000-memory.dmp

Filesize
380KB

Download
memory/824-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/824-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/824-35-0x000000000D820000-0x000000000D85C000-memory.dmp

Filesize
240KB

Download
memory/824-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1448-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1448-1-0x0000000000180000-0x00000000001E6000-memory.dmp

Filesize
408KB

Download
memory/1448-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1448-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download