656ba320591a2eedf81a807f1c1ab23c1b1935780d3b5aecafb2af6358c5f541

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1006dad911f74cc284e09d1183b971b_JaffaCakes118.exe
Size

209KB
MD5

f1006dad911f74cc284e09d1183b971b
SHA1

4736ef52a186eb9599f55b71f7d3a1c407308711
SHA256

656ba320591a2eedf81a807f1c1ab23c1b1935780d3b5aecafb2af6358c5f541
SHA512

fc95355ce81c2301fb0be23db8531346c39075e30ed64211c0c220552cc21a58827bca6d349b6f29059d57ad33961a6fb6ee756724242d62d2d08024c36cd1b0
SSDEEP

6144:wlGB9lGgs73tjb+pJUdEeQ175fizzrqpDvAyZguG:FB9UgxJX19Kzzrq99gu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2584	u.dll
2736	u.dll
2988	mpress.exe

Loads dropped DLL 6 IoCs

pid	Process
2092	cmd.exe
2092	cmd.exe
2092	cmd.exe
2092	cmd.exe
2736	u.dll
2736	u.dll

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 2092	1256	f1006dad911f74cc284e09d1183b971b_JaffaCakes118.exe	29
PID 1256 wrote to memory of 2092	1256	f1006dad911f74cc284e09d1183b971b_JaffaCakes118.exe	29
PID 1256 wrote to memory of 2092	1256	f1006dad911f74cc284e09d1183b971b_JaffaCakes118.exe	29
PID 1256 wrote to memory of 2092	1256	f1006dad911f74cc284e09d1183b971b_JaffaCakes118.exe	29
PID 2092 wrote to memory of 2584	2092	cmd.exe	30
PID 2092 wrote to memory of 2584	2092	cmd.exe	30
PID 2092 wrote to memory of 2584	2092	cmd.exe	30
PID 2092 wrote to memory of 2584	2092	cmd.exe	30
PID 2092 wrote to memory of 2736	2092	cmd.exe	31
PID 2092 wrote to memory of 2736	2092	cmd.exe	31
PID 2092 wrote to memory of 2736	2092	cmd.exe	31
PID 2092 wrote to memory of 2736	2092	cmd.exe	31
PID 2736 wrote to memory of 2988	2736	u.dll	32
PID 2736 wrote to memory of 2988	2736	u.dll	32
PID 2736 wrote to memory of 2988	2736	u.dll	32
PID 2736 wrote to memory of 2988	2736	u.dll	32
PID 2092 wrote to memory of 2964	2092	cmd.exe	33
PID 2092 wrote to memory of 2964	2092	cmd.exe	33
PID 2092 wrote to memory of 2964	2092	cmd.exe	33
PID 2092 wrote to memory of 2964	2092	cmd.exe	33
PID 2092 wrote to memory of 2960	2092	cmd.exe	34
PID 2092 wrote to memory of 2960	2092	cmd.exe	34
PID 2092 wrote to memory of 2960	2092	cmd.exe	34
PID 2092 wrote to memory of 2960	2092	cmd.exe	34
PID 2092 wrote to memory of 2728	2092	cmd.exe	35
PID 2092 wrote to memory of 2728	2092	cmd.exe	35
PID 2092 wrote to memory of 2728	2092	cmd.exe	35
PID 2092 wrote to memory of 2728	2092	cmd.exe	35
PID 2092 wrote to memory of 2168	2092	cmd.exe	36
PID 2092 wrote to memory of 2168	2092	cmd.exe	36
PID 2092 wrote to memory of 2168	2092	cmd.exe	36
PID 2092 wrote to memory of 2168	2092	cmd.exe	36
PID 2092 wrote to memory of 2696	2092	cmd.exe	37
PID 2092 wrote to memory of 2696	2092	cmd.exe	37
PID 2092 wrote to memory of 2696	2092	cmd.exe	37
PID 2092 wrote to memory of 2696	2092	cmd.exe	37
PID 2092 wrote to memory of 2716	2092	cmd.exe	38
PID 2092 wrote to memory of 2716	2092	cmd.exe	38
PID 2092 wrote to memory of 2716	2092	cmd.exe	38
PID 2092 wrote to memory of 2716	2092	cmd.exe	38
PID 2092 wrote to memory of 2332	2092	cmd.exe	39
PID 2092 wrote to memory of 2332	2092	cmd.exe	39
PID 2092 wrote to memory of 2332	2092	cmd.exe	39
PID 2092 wrote to memory of 2332	2092	cmd.exe	39
PID 2092 wrote to memory of 1628	2092	cmd.exe	40
PID 2092 wrote to memory of 1628	2092	cmd.exe	40
PID 2092 wrote to memory of 1628	2092	cmd.exe	40
PID 2092 wrote to memory of 1628	2092	cmd.exe	40
PID 2092 wrote to memory of 1684	2092	cmd.exe	41
PID 2092 wrote to memory of 1684	2092	cmd.exe	41
PID 2092 wrote to memory of 1684	2092	cmd.exe	41
PID 2092 wrote to memory of 1684	2092	cmd.exe	41
PID 2092 wrote to memory of 2416	2092	cmd.exe	42
PID 2092 wrote to memory of 2416	2092	cmd.exe	42
PID 2092 wrote to memory of 2416	2092	cmd.exe	42
PID 2092 wrote to memory of 2416	2092	cmd.exe	42
PID 2092 wrote to memory of 1640	2092	cmd.exe	43
PID 2092 wrote to memory of 1640	2092	cmd.exe	43
PID 2092 wrote to memory of 1640	2092	cmd.exe	43
PID 2092 wrote to memory of 1640	2092	cmd.exe	43
PID 2092 wrote to memory of 2720	2092	cmd.exe	44
PID 2092 wrote to memory of 2720	2092	cmd.exe	44
PID 2092 wrote to memory of 2720	2092	cmd.exe	44
PID 2092 wrote to memory of 2720	2092	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\f1006dad911f74cc284e09d1183b971b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1006dad911f74cc284e09d1183b971b_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\C40.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save f1006dad911f74cc284e09d1183b971b_JaffaCakes118.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:2584
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\2839.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\2839.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe283A.tmp"
      4⤵
      Executes dropped EXE
      PID:2988
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2964
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2960
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2728
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2168
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2696
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2716
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2332
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1628
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1684
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2416
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2720
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1432
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1672
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2160
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1908
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2616
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2788
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2772
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2776
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1652
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:3024
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1536
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:3016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C40.tmp\vir.bat

Filesize
1KB

MD5
df79b1aa405504fd18cf4bd1344a3931

SHA1
f0e46175e00965b01e039470e307993745ad6c75

SHA256
3619408fe03f2e960d483bc837aaf29c8e41ff2e3ea119a38a864b5a99f3ce2f

SHA512
8db6821361b54c8777d4afc6ad850151a7c2936328e0cdd519898e0410c4108a4ca3a6a9e0591bbe604ff329d073e5a94b6daf710d53690746fa0d4f8049f88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe283A.tmp

Filesize
41KB

MD5
700e79358492de07a8717cf20ca2f14a

SHA1
f1be4ae88571a56004d75b9f1dcb89f964122f0c

SHA256
9d57f4e84ec5af01bc1f8bb36428febdb1ee8445ae6e87fbc0c632e1db409706

SHA512
e4b03ce6a0fea1e418bf9f9e9edda706f2c469120f9230ce3b8df30cbc5347639c2b51f60e598240a7c407340af8aabae27ae9fa4ccf74c4c1efa44878bcf039

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe283A.tmp

Filesize
25KB

MD5
19601edb3fc7e3b284377f9bad3d2357

SHA1
5e9de33c1cdd6c908bad7e74e0001fad8b67bce3

SHA256
b89084c35cec1bf6c8ab8a90f2efae3989ec62628f0b2cd782eaeeacd1810eb1

SHA512
1f1d466ff1a7268c586ad3f21765ccdbe4609d5ced5c5303bb60753b25e6992342a46ffec7af9a4e1e7210b10a628336da9e13031740e44d454cfae5640b1b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe283A.tmp

Filesize
42KB

MD5
adc324450e5f5b10cb2ea7216ed7126c

SHA1
6455a2f0422f6465369af558caed17b154e913c6

SHA256
0f942db133d4c44895fd0c2691b9e8dfdc979bee1c3d150843f4e4ec76a60b79

SHA512
137b8a28821a61e18f6434e36c0107c406a5f72313b06c2c63cf2a253eda2b16304a036bba919ee1e079881738fecf7fd30f5b3aa1ef2e15584ee4bb5d52f518

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
acd2460b36c01254c0510181db7e3b3c

SHA1
97f79fa642286b9b6fcdfa20eefb5a4838b529f5

SHA256
838dade19f948834ad46fc7c6bc33ae65e5285d9ca113d9de18134efc17ea905

SHA512
594b441d71f43fa8cc2249cbd4d9f6d469c794bfce4ca6f858152ed890625de4921deb2f42f8f9fa5939b1d7da9bb245c5530a358de12551a9709c3eca744534

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
13a094d6c8b4eeb1e1c9f7492a6da5be

SHA1
fc4c51644c762b9d4ca9a12ec08cdeb6eb014b91

SHA256
7526f09b2fe6324a9febc78970a8fc35fd8e56f0c310bb9a54747130f7cdb6e2

SHA512
7dd9802a392803932e1caec0c9d6a96a9adf4cfb002755cbdd0da390c3ae213bde6d56f879e426f92296a32f47f1858ad7d86339537d6eb10f1d38ce48058313

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
71c727b9eee0114840c65c471d079947

SHA1
6e9762c481d337ce458743ae81cfdc6f92a0708c

SHA256
8c824662c96a5b3e0c7d8edc53ae575f3f53ac8188d4029d4af08f27e050a928

SHA512
25c938bb60a9aebca2ed17fa8ea434fae8fb6a3114f3f158b12623bf4d49f91dc538da48f9e3d9be17bef7b52c18069b7effe8868626686b81e4de4889bba5da

Download Submit
\Users\Admin\AppData\Local\Temp\2839.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
memory/1256-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1256-111-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2736-92-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2988-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads