3c5f46528e27f157573bb910e9537e55d8c2082befcc7ccda978ae61beb88f53

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
Size

729KB
MD5

f504e8f2ed3a2445c9be47d0e9368f4d
SHA1

7c926b7e7d68422971dc5e13449869164b8b0e83
SHA256

3c5f46528e27f157573bb910e9537e55d8c2082befcc7ccda978ae61beb88f53
SHA512

e5158bbd6373eea80495d2337b9387332c33121a8ef2fc66084b6a9d841e821c9d354c1cbd65945d542083f2c1ac6e74ec51734812952359ef7841e07b4ff81d
SSDEEP

12288:lnwRDhyy7NnY/fp1e1ePGGJdmPiF4Reva6758ze+T+imxRXlgUy4Ni8XsDIFKqFV:lnwRDoy7NnEh01AbZ48yepa+ieVN

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
1912	powershell.exe
2440	powershell.exe
2348	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2440	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2440	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2440	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2440	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2348	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	32
PID 2868 wrote to memory of 2348	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	32
PID 2868 wrote to memory of 2348	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	32
PID 2868 wrote to memory of 2348	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	32
PID 2868 wrote to memory of 520	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	34
PID 2868 wrote to memory of 520	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	34
PID 2868 wrote to memory of 520	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	34
PID 2868 wrote to memory of 520	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	34
PID 2868 wrote to memory of 1912	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	36
PID 2868 wrote to memory of 1912	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	36
PID 2868 wrote to memory of 1912	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	36
PID 2868 wrote to memory of 1912	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	36
PID 2868 wrote to memory of 2452	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	38
PID 2868 wrote to memory of 2452	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	38
PID 2868 wrote to memory of 2452	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	38
PID 2868 wrote to memory of 2452	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	38
PID 2868 wrote to memory of 2788	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	39
PID 2868 wrote to memory of 2788	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	39
PID 2868 wrote to memory of 2788	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	39
PID 2868 wrote to memory of 2788	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	39
PID 2868 wrote to memory of 1260	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	40
PID 2868 wrote to memory of 1260	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	40
PID 2868 wrote to memory of 1260	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	40
PID 2868 wrote to memory of 1260	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	40
PID 2868 wrote to memory of 1980	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	41
PID 2868 wrote to memory of 1980	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	41
PID 2868 wrote to memory of 1980	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	41
PID 2868 wrote to memory of 1980	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	41
PID 2868 wrote to memory of 2300	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	42
PID 2868 wrote to memory of 2300	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	42
PID 2868 wrote to memory of 2300	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	42
PID 2868 wrote to memory of 2300	2868	f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe	42

C:\Users\Admin\AppData\Local\Temp\f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oOgmJDo.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oOgmJDo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1F72.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:520
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oOgmJDo.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Users\Admin\AppData\Local\Temp\f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe"
  2⤵
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe"
  2⤵
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe"
  2⤵
  PID:1260
- C:\Users\Admin\AppData\Local\Temp\f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe"
  2⤵
  PID:1980
- C:\Users\Admin\AppData\Local\Temp\f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f504e8f2ed3a2445c9be47d0e9368f4d_JaffaCakes118.exe"
  2⤵
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1F72.tmp

Filesize
1KB

MD5
6ff761937cfa191854c15f95799baf10

SHA1
2789dc26135ccba4e3a567040951be2fac758bac

SHA256
0694fb1da05a00cacbbb0354f550dc25d1b91e33de372fdd71db24fedad71525

SHA512
557dfc7691685431023ed7d17a3c0c171ad1de0a5a99ae902354ff505502505479a71d04751eda53b15aea821114dcfc129736cce5d6a2103b44ccf80aba0c45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\35SGKKHOS2FUF6LG5LCP.temp

Filesize
7KB

MD5
983ba36f08f26bd30ecb36dd8cb03c12

SHA1
d72481df174720442ee19dfa9fb88b08e1c956ea

SHA256
3f3560a99eb8f63c4c35bb7f30c56d413a75ab794c1833ff3371bb3fc594965a

SHA512
69e70d9282166a40ecf6973bc6d8b78cf16e5547453ead86d64e2ba87706831f680e1fcfd6551322b5a7fa456ab7ee573a64c63620631a91f119d1ca8568535a

Download Submit
memory/1912-38-0x000000006F120000-0x000000006F6CB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-36-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/1912-35-0x000000006F120000-0x000000006F6CB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-34-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/1912-33-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/1912-30-0x000000006F120000-0x000000006F6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2348-27-0x0000000002700000-0x0000000002740000-memory.dmp

Filesize
256KB

Download
memory/2348-32-0x0000000002700000-0x0000000002740000-memory.dmp

Filesize
256KB

Download
memory/2348-25-0x000000006F120000-0x000000006F6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2348-39-0x000000006F120000-0x000000006F6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2348-28-0x000000006F120000-0x000000006F6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-37-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/2440-29-0x000000006F120000-0x000000006F6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-31-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/2440-26-0x000000006F120000-0x000000006F6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-40-0x000000006F120000-0x000000006F6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2868-6-0x0000000000590000-0x00000000005D6000-memory.dmp

Filesize
280KB

Download
memory/2868-20-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-5-0x0000000007BF0000-0x0000000007C96000-memory.dmp

Filesize
664KB

Download
memory/2868-4-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-3-0x0000000000330000-0x0000000000348000-memory.dmp

Filesize
96KB

Download
memory/2868-2-0x00000000070F0000-0x0000000007130000-memory.dmp

Filesize
256KB

Download
memory/2868-0-0x0000000000370000-0x000000000042C000-memory.dmp

Filesize
752KB

Download
memory/2868-1-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download