caf5c45a50dda8a47067a5f5ebfb9b9d3cc12d16655cd37590eaf792f465a0d8

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4427b014263ecf29248471cd3ac5034_JaffaCakes118.exe
Size

33KB
MD5

f4427b014263ecf29248471cd3ac5034
SHA1

e4674f8e8ea09e6a3e8a3c1acd989cb60a8eeee2
SHA256

caf5c45a50dda8a47067a5f5ebfb9b9d3cc12d16655cd37590eaf792f465a0d8
SHA512

7d16aeb57cb542d21d688dbdd5ce2c528d833cc3961c64aa02a8ae8a116d1de303c011e8efece15985cf29989117f6af7b4ccac41f98c020513942d0e8d3354a
SSDEEP

768:AzCzDHjqcg3fwgpYK/k59zck/fDBmaXjWDrNKgUOOm5a:fM3fiXjWvNKCOm5a

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2372	plote.exe

Loads dropped DLL 1 IoCs

pid	Process
2192	f4427b014263ecf29248471cd3ac5034_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2192	f4427b014263ecf29248471cd3ac5034_JaffaCakes118.exe
2372	plote.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2372	2192	f4427b014263ecf29248471cd3ac5034_JaffaCakes118.exe	28
PID 2192 wrote to memory of 2372	2192	f4427b014263ecf29248471cd3ac5034_JaffaCakes118.exe	28
PID 2192 wrote to memory of 2372	2192	f4427b014263ecf29248471cd3ac5034_JaffaCakes118.exe	28
PID 2192 wrote to memory of 2372	2192	f4427b014263ecf29248471cd3ac5034_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\f4427b014263ecf29248471cd3ac5034_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4427b014263ecf29248471cd3ac5034_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\plote.exe
  "C:\Users\Admin\AppData\Local\Temp\plote.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\plote.exe

Filesize
33KB

MD5
b9332f67079bc41e9e4473e5d276d667

SHA1
c82ebdeaa691f41a68e368491f0d0ab6ed2398a4

SHA256
f64712fce471afa2e7cef155a83b9f3f0a4a2e1ab9c71ca325faea68989bf847

SHA512
904875bc405489048da2e7fd0eb258e1aab48d2545e6587b3e48d76dc8ea39e5199ad8b5154a8344585b453ef4fca824c9cb8e1786dd2654df2104149693924e

Download Submit
memory/2192-0-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2192-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2192-2-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2372-17-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download