b6b6d0bca3f8e8f360eef0a3eb3368a61a94a9534a5bfec589b4d12a0b2d62d0

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 17:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fd49a9d34c3c4a331634d522c43d823b_JaffaCakes118.exe
Size

385KB
MD5

fd49a9d34c3c4a331634d522c43d823b
SHA1

7851fbe5133c8db94c6a15aefe2db45ff0eb1151
SHA256

b6b6d0bca3f8e8f360eef0a3eb3368a61a94a9534a5bfec589b4d12a0b2d62d0
SHA512

c6f6a1439f0342e5b423feb0b6670451407c86b1399b4a50ecc5d6119ccfe83492b78052e84c5a41c26696319943c7faae34e4c8c934d2d7438a21e26e07e2a0
SSDEEP

6144:7JDBDfqcEB1AjzthP0Fkcf8VC82SZT5jVNfv1D0zi2yzGB:11epAzYe1t2SZT5jVhvki2lB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2344	fd49a9d34c3c4a331634d522c43d823b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2344	fd49a9d34c3c4a331634d522c43d823b_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2860	fd49a9d34c3c4a331634d522c43d823b_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2860	fd49a9d34c3c4a331634d522c43d823b_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2860	fd49a9d34c3c4a331634d522c43d823b_JaffaCakes118.exe
2344	fd49a9d34c3c4a331634d522c43d823b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2344	2860	fd49a9d34c3c4a331634d522c43d823b_JaffaCakes118.exe	28
PID 2860 wrote to memory of 2344	2860	fd49a9d34c3c4a331634d522c43d823b_JaffaCakes118.exe	28
PID 2860 wrote to memory of 2344	2860	fd49a9d34c3c4a331634d522c43d823b_JaffaCakes118.exe	28
PID 2860 wrote to memory of 2344	2860	fd49a9d34c3c4a331634d522c43d823b_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\fd49a9d34c3c4a331634d522c43d823b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd49a9d34c3c4a331634d522c43d823b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\fd49a9d34c3c4a331634d522c43d823b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd49a9d34c3c4a331634d522c43d823b_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\fd49a9d34c3c4a331634d522c43d823b_JaffaCakes118.exe

Filesize
385KB

MD5
b07556311afa454876dc825c6940b970

SHA1
f14a7c3f35d2528d60c7c111d41ee66668536ca0

SHA256
74c8b36f95b6763be8cab7f59270bc85a2a783bc500b96a3d4a4f6e2c5faa25d

SHA512
ececec8de019918c1c915c4bda0247bda140bdaa81f1963988c2a2ffcd3b8001b0f132833154efeee902200cb3f877d656f45c49aa9510974e9f0f6ef7698872

Download Submit
memory/2344-29-0x0000000002CB0000-0x0000000002D0F000-memory.dmp

Filesize
380KB

Download
memory/2344-17-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2344-19-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2344-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2344-45-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2344-50-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2344-51-0x000000000D620000-0x000000000D65C000-memory.dmp

Filesize
240KB

Download
memory/2860-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2860-2-0x0000000000190000-0x00000000001F6000-memory.dmp

Filesize
408KB

Download
memory/2860-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2860-12-0x0000000002DD0000-0x0000000002E36000-memory.dmp

Filesize
408KB

Download
memory/2860-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download