5575d95012ff4c158614df59ec8f3adfc49e54588dde5b393c980cbf2d1c4716

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f05cd90a94f4df41565c1b24a06fc566_JaffaCakes118.exe
Size

385KB
MD5

f05cd90a94f4df41565c1b24a06fc566
SHA1

dfc963e9cf6c41e808a52a6736203d247f9a3608
SHA256

5575d95012ff4c158614df59ec8f3adfc49e54588dde5b393c980cbf2d1c4716
SHA512

2e0555c00ab0f88f4ab4872ab9e52c8476d8c20f87fb20d5b5fd36f761880c4d0d677be6751ea444166e1ee2c77bdedeb5038e1aabf85a32651a00d30ebbb16e
SSDEEP

6144:/b/p3ScVYGDiEOoqcqrq97VmGmxHeYp7G6cJNI2npnSyC/v92IIvdB:zx3WGDVqcqrqdVhmZk5jnpnSyC/v8rB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2872	f05cd90a94f4df41565c1b24a06fc566_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2872	f05cd90a94f4df41565c1b24a06fc566_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
11	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3452	f05cd90a94f4df41565c1b24a06fc566_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3452	f05cd90a94f4df41565c1b24a06fc566_JaffaCakes118.exe
2872	f05cd90a94f4df41565c1b24a06fc566_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 2872	3452	f05cd90a94f4df41565c1b24a06fc566_JaffaCakes118.exe	91
PID 3452 wrote to memory of 2872	3452	f05cd90a94f4df41565c1b24a06fc566_JaffaCakes118.exe	91
PID 3452 wrote to memory of 2872	3452	f05cd90a94f4df41565c1b24a06fc566_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\f05cd90a94f4df41565c1b24a06fc566_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f05cd90a94f4df41565c1b24a06fc566_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Local\Temp\f05cd90a94f4df41565c1b24a06fc566_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f05cd90a94f4df41565c1b24a06fc566_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3528 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f05cd90a94f4df41565c1b24a06fc566_JaffaCakes118.exe

Filesize
385KB

MD5
a8c6410418cb4095e347f24ec0a25f8a

SHA1
45cd5b5372a239a7b7cf2de783a972fcde692faf

SHA256
64543ec76bb86edda6520f68292f14755961af93fdbdc54b50d1ff0f4c583361

SHA512
b6bd452d657790e48d79ef0565954b33093f516d5fc7864812b69127c7e10120f274a743e9cdd392533bd78495f41169294ef60dce39dfada207cb48e4d8ba95

Download Submit
memory/2872-13-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2872-14-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/2872-20-0x00000000015E0000-0x000000000163F000-memory.dmp

Filesize
380KB

Download
memory/2872-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2872-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2872-35-0x000000000C5F0000-0x000000000C62C000-memory.dmp

Filesize
240KB

Download
memory/2872-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3452-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3452-1-0x0000000001470000-0x00000000014D6000-memory.dmp

Filesize
408KB

Download
memory/3452-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3452-11-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download