4fb98c06085a33f197665afb7796951ee13b909aebfd618694ba24271e530a88

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8557444d716465f01c89307d430153a_JaffaCakes118.exe
Size

1.6MB
MD5

f8557444d716465f01c89307d430153a
SHA1

121e7805b3dcd0b416874b400f2f29c7549096be
SHA256

4fb98c06085a33f197665afb7796951ee13b909aebfd618694ba24271e530a88
SHA512

0ba08cfd957f9245e028588761e5c8de515d71544e30dbafcfca939c0d558e53067b7732697477212155643ef44ecdac84498d99d056c7714b85f4346addcea3
SSDEEP

49152:sZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9E:sGIjR1Oh0Tw

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2316	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2232	f8557444d716465f01c89307d430153a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2232	f8557444d716465f01c89307d430153a_JaffaCakes118.exe
2232	f8557444d716465f01c89307d430153a_JaffaCakes118.exe
2232	f8557444d716465f01c89307d430153a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1088	2232	f8557444d716465f01c89307d430153a_JaffaCakes118.exe	30
PID 2232 wrote to memory of 1088	2232	f8557444d716465f01c89307d430153a_JaffaCakes118.exe	30
PID 2232 wrote to memory of 1088	2232	f8557444d716465f01c89307d430153a_JaffaCakes118.exe	30
PID 2232 wrote to memory of 1088	2232	f8557444d716465f01c89307d430153a_JaffaCakes118.exe	30
PID 1088 wrote to memory of 2316	1088	cmd.exe	32
PID 1088 wrote to memory of 2316	1088	cmd.exe	32
PID 1088 wrote to memory of 2316	1088	cmd.exe	32
PID 1088 wrote to memory of 2316	1088	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\f8557444d716465f01c89307d430153a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8557444d716465f01c89307d430153a_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\21997.bat" "C:\Users\Admin\AppData\Local\Temp\E4A49BA8B8B845E889B858B8C5AC7E8B\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21997.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4A49BA8B8B845E889B858B8C5AC7E8B\E4A49BA8B8B845E889B858B8C5AC7E8B_LogFile.txt

Filesize
2KB

MD5
e565b0fafd92e4876c903283840e2132

SHA1
b65e4affe418af211a2d9151395e6f06c837d14a

SHA256
58ffc86b8b196a068ee5396a1cbb1e1a33aa0799590afa233d684508a1133644

SHA512
4f7e0b1bd439441ca6e1653ffe88ac3ac82632fedbba350d1b3b67062d879599544ac7b123e59d709d2e15c9d488d117c08f050eec613ec3bd6aa2cfd06844e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4A49BA8B8B845E889B858B8C5AC7E8B\E4A49BA8B8B845E889B858B8C5AC7E8B_LogFile.txt

Filesize
5KB

MD5
70864410680b5af3cdd6fcc026fc62ad

SHA1
791891fd675808ea2e3891876612aa0957ae2d18

SHA256
5196e05baa3142d259186a4c5cfae37c5b3adc5c10b264812f4707e81ab4b754

SHA512
a0532ea61ae0d45ac7c44b325657a63a77b69b5854396352bccba89da8e77a87ea2404f3991a5f3b1a373cf8ecae99dac315d2c63831eaf2d518c72819b0610e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4A49BA8B8B845E889B858B8C5AC7E8B\E4A49B~1.TXT

Filesize
104KB

MD5
01eda7d94324a30471ddb97b4df81f61

SHA1
a0b4281888f78b48b475fd58d909ad103bb768cd

SHA256
b820ce41dc1d1c30c06c05c91f37edd471fdee86f2192c85c53ea59575c7b4f2

SHA512
4e4c7c25cf31724a25f6686805b217c95dda41d2054d01c8e5bf716426bcf009cc4ac6ad34d172f5982623371685225ce773ca7078f1067b7f370c46ce322146

Download Submit
memory/2232-63-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2232-183-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download