393aa7f6223935422cb15558b8deb8c07435302c953d8e3625961743dabd3ed3

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcc6b8d92719b5c1e2222047ca5d2013_JaffaCakes118.exe
Size

305KB
MD5

fcc6b8d92719b5c1e2222047ca5d2013
SHA1

1798635199ea135e52148bc6a171d74e7a544962
SHA256

393aa7f6223935422cb15558b8deb8c07435302c953d8e3625961743dabd3ed3
SHA512

791899a859ef04ef305b8e8cf37519a28ba145007d4dd4cbcbff47f788830cf28549ea0c02eb787c46140041823471d8103c1e79bb60f1cd45032da86a0ce627
SSDEEP

6144:t/iQb+ckQsH8TDRGKJkSvGUlYG2dtX+t4Y8J:0Qnk3GDYKGcblwtX+t4Y8J

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3064	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1768	2120	fcc6b8d92719b5c1e2222047ca5d2013_JaffaCakes118.exe	28
PID 2120 wrote to memory of 1768	2120	fcc6b8d92719b5c1e2222047ca5d2013_JaffaCakes118.exe	28
PID 2120 wrote to memory of 1768	2120	fcc6b8d92719b5c1e2222047ca5d2013_JaffaCakes118.exe	28
PID 2120 wrote to memory of 1768	2120	fcc6b8d92719b5c1e2222047ca5d2013_JaffaCakes118.exe	28
PID 1768 wrote to memory of 3064	1768	WScript.exe	29
PID 1768 wrote to memory of 3064	1768	WScript.exe	29
PID 1768 wrote to memory of 3064	1768	WScript.exe	29
PID 1768 wrote to memory of 3064	1768	WScript.exe	29

C:\Users\Admin\AppData\Local\Temp\fcc6b8d92719b5c1e2222047ca5d2013_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcc6b8d92719b5c1e2222047ca5d2013_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\RarSFX0\ee.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.vbs

Filesize
63B

MD5
b46ec202e6b7a647e6487979f2ce421a

SHA1
c8b9b21bf256d807c1ea8ba6bb62e9d60152ab96

SHA256
b26e89da904d38cef2ca64cb02feb07fb9be843c6d9320a032394f73fbb68d43

SHA512
d400087837de5fab25d9e9fec0541a65d449213854663ec4966dbf7d537d2606175b0853ed3e505ed5348513e6973b89ddbecaacdca3cf7cc8bfb697aceaed28

Download Submit