eab3e220aa4c8e86d6c1eab628dca854e0fdbe953920c65a4169609a31fd5f4f

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f162da35436879620e40d6ccad225f73_JaffaCakes118.exe
Size

209KB
MD5

f162da35436879620e40d6ccad225f73
SHA1

a756403fb1c035f70a3d508a83e2dcc38be3a613
SHA256

eab3e220aa4c8e86d6c1eab628dca854e0fdbe953920c65a4169609a31fd5f4f
SHA512

996158b2540bc7f41e0bf62056ddd3ed6e9290a871ebf8c9a6249685cce847488c86f448297766ac0aaef599653b0c354524583c93d26f9fa2c80d7904a1b3e0
SSDEEP

6144:zldXtrMT5ndLtnDo2P28a7DFl2tQqkOC:v9wFdLtc2+84DFl2qc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2152	u.dll
3032	mpress.exe
2264	u.dll
2324	mpress.exe

Loads dropped DLL 8 IoCs

pid	Process
2616	cmd.exe
2616	cmd.exe
2152	u.dll
2152	u.dll
2616	cmd.exe
2616	cmd.exe
2264	u.dll
2264	u.dll

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2616	2952	f162da35436879620e40d6ccad225f73_JaffaCakes118.exe	29
PID 2952 wrote to memory of 2616	2952	f162da35436879620e40d6ccad225f73_JaffaCakes118.exe	29
PID 2952 wrote to memory of 2616	2952	f162da35436879620e40d6ccad225f73_JaffaCakes118.exe	29
PID 2952 wrote to memory of 2616	2952	f162da35436879620e40d6ccad225f73_JaffaCakes118.exe	29
PID 2616 wrote to memory of 2152	2616	cmd.exe	30
PID 2616 wrote to memory of 2152	2616	cmd.exe	30
PID 2616 wrote to memory of 2152	2616	cmd.exe	30
PID 2616 wrote to memory of 2152	2616	cmd.exe	30
PID 2152 wrote to memory of 3032	2152	u.dll	31
PID 2152 wrote to memory of 3032	2152	u.dll	31
PID 2152 wrote to memory of 3032	2152	u.dll	31
PID 2152 wrote to memory of 3032	2152	u.dll	31
PID 2616 wrote to memory of 2264	2616	cmd.exe	32
PID 2616 wrote to memory of 2264	2616	cmd.exe	32
PID 2616 wrote to memory of 2264	2616	cmd.exe	32
PID 2616 wrote to memory of 2264	2616	cmd.exe	32
PID 2264 wrote to memory of 2324	2264	u.dll	33
PID 2264 wrote to memory of 2324	2264	u.dll	33
PID 2264 wrote to memory of 2324	2264	u.dll	33
PID 2264 wrote to memory of 2324	2264	u.dll	33
PID 2616 wrote to memory of 1520	2616	cmd.exe	34
PID 2616 wrote to memory of 1520	2616	cmd.exe	34
PID 2616 wrote to memory of 1520	2616	cmd.exe	34
PID 2616 wrote to memory of 1520	2616	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\f162da35436879620e40d6ccad225f73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f162da35436879620e40d6ccad225f73_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\EDF.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save f162da35436879620e40d6ccad225f73_JaffaCakes118.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\F1E.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\F1E.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exeF1F.tmp"
      4⤵
      Executes dropped EXE
      PID:3032
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\FF8.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\FF8.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exeFF9.tmp"
      4⤵
      Executes dropped EXE
      PID:2324
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:1520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EDF.tmp\vir.bat

Filesize
2KB

MD5
8538b78c03e73420e61fc787c11eedc5

SHA1
8cce66220d7c1ba66fea7e73307a7809a469d61f

SHA256
337d6bc7a370da08d188a40d95d1053c3db5a135424a0fe21414aff7adba6355

SHA512
d7de5421e3bfe9ac47bab8817904199236843076b4502c74b960116d4c09b0d2a2a8b903a7f39b4742f75b814fee2600e08ee8979a9198a0c73b24b1ebd6d6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1E.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeF1F.tmp

Filesize
41KB

MD5
2962dfcac22070e3da981e1115397938

SHA1
09a2ddd77cc9265c1c9a3a0b3797ea5007e3bd28

SHA256
d47a5a1f144a7b1a0267ec604f18238419a29402b4ef51f1b2165f346ef88951

SHA512
8efe28ee9ba694a2cc010bb61736de3f7bc190c3656f814a700e9992391a174982fa21f16d24ce1c36876e095f1a76569183cee52048ae22102cac621beb422a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeF1F.tmp

Filesize
24KB

MD5
b799e4b3cff5cefeb8355cff4153f617

SHA1
cf39041f0b03033f148329b62c2f593ffb3ce8cc

SHA256
e6f5642d95d82404f0c87ce3b455c662ad247d533cc01b0f454d194b244207c4

SHA512
62e28c9cf91fd311d2dee021062a92eacf482455842a6f835afedfb368d84de089569ae032a37c85c05c4cc20d1e1aeeda2cda6e673fa42e00b80b19974b9f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeFF9.tmp

Filesize
41KB

MD5
7cb94ab71579f67dd8167ccb854b359a

SHA1
74e86a56f85e57d281d3ef96e9a37e1cbdf00234

SHA256
94c019063145e6f988342dbbdad106f33eb452b627c2b49dab48e42491e84223

SHA512
bc25d4d61dce320e970c357d81acc8bf825ebece79ca49fd5cc7ab6c997e1f68d293a6a7efbf4fcf9720f1a955fec1f89564d736f70c610f8b09adc19663002e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeFF9.tmp

Filesize
24KB

MD5
4a5be32fb94601714c46d106925cc4f6

SHA1
de1067395116b3a00152b34e24f6645770eaa2ee

SHA256
5a4aed2b271398f6a9b7de1290e7e5586a19aef9c2437404355c8cf639faaf62

SHA512
27796e99f88ff425751a976d721583a3084185137166a5083f6622cc5092b149e0943b98f96648b6f89ddf5759b870e715ca9aed5519c94e9a3dccb55dab8b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
03e84bf7ea2eba6e881e868ceefe2526

SHA1
09019ed20cf16847a264f5d1840ee0802f1778a6

SHA256
8b16836b18106d0e8fdbb4b26beefee04479fe219a59cc2a186b68db91fcd832

SHA512
32a47a7b4725f2d71573ad855b0a3bc99b3fa86d70f7b1b60456361bbcd03d37ea58f2b7092c0b6993e156db4ddd66b1d544363523f580a6dd8c055697ec2026

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
2KB

MD5
6673de6a1dabaa4d59c833242a49fa19

SHA1
47e0e5f7b280f53b363452108fa8343be26c2df6

SHA256
7139c0e9fbcb0412bce31735778a63e64f9e33c1d03ebba7f5a23b13cde685ed

SHA512
c279a16d873f716edd4b1400e4e2fa2ad65fc1bc72fbb0c78f0bf72506e127b4ac8fa46d853915e790771fe620776da0c1c570d1a957f69c2bacb8cd2c8b2e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
2KB

MD5
ab9504b1525917562748b9e6b410400e

SHA1
ba9184d38fb1083ecdf71b06954587b88fd5fb51

SHA256
feee03f75de6678b47b290934c7fe8a5e32e6b0f28b706cf8bdab7c164e9c14a

SHA512
9de451d9b0fab08c53a33e50f09688acd380213eed4f8f0b1704cf5cec8e2deeb138666feb72e0813dd0140f4a22ed4b33e29a42b40b72a4a62ef8201b64b723

Download Submit
memory/2152-68-0x0000000001ED0000-0x0000000001F04000-memory.dmp

Filesize
208KB

Download
memory/2152-69-0x0000000001ED0000-0x0000000001F04000-memory.dmp

Filesize
208KB

Download
memory/2324-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2952-158-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3032-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads