21579b6c8c0f5588ab7c20813f1fb0ba52e9a1647733456a39529327c45af8ed

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 21:57

Target

01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe
Size

208KB
MD5

01c07d09ff212f857e96c20e57e4b4fc
SHA1

641f73b9004808f62c308c634993ed4137cee914
SHA256

21579b6c8c0f5588ab7c20813f1fb0ba52e9a1647733456a39529327c45af8ed
SHA512

8ddc52aa7fc4e31f335ae03d7caca969961efe66cd4253eb02ba495e737d0b59854ba8db123bc3b316cde8f00b3de185120a22d259d3484f3e100a4ea67066d1
SSDEEP

6144:arYTgEMnRNL+I3YHBC/vMYRbbdfHKpkEj1:OBrI6U8IpkC

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2980	VPHS.exe

Loads dropped DLL 2 IoCs

pid	Process
2232	cmd.exe
2232	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\system\VPHS.exe	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe
File opened for modification	C:\windows\system\VPHS.exe	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe
File created	C:\windows\system\VPHS.exe.bat	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1152	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe
2980	VPHS.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1152	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe
1152	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe
2980	VPHS.exe
2980	VPHS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2232	1152	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe	28
PID 1152 wrote to memory of 2232	1152	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe	28
PID 1152 wrote to memory of 2232	1152	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe	28
PID 1152 wrote to memory of 2232	1152	01c07d09ff212f857e96c20e57e4b4fc_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2980	2232	cmd.exe	30
PID 2232 wrote to memory of 2980	2232	cmd.exe	30
PID 2232 wrote to memory of 2980	2232	cmd.exe	30
PID 2232 wrote to memory of 2980	2232	cmd.exe	30

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\system\VPHS.exe.bat

Filesize
68B

MD5
5d770fbd12ee07784da19c50b97941a3

SHA1
596e3b6c4a873f458c94a4061c7ecaaead018e48

SHA256
a22258a94f4bc57d5c65667a1d488700d95f9d115da43171f4872f42a4db8d46

SHA512
4ad05caa86d902f40b15a933128f608b0c66797cd58034a1b7b1829f3e41672183adc34de98fe1b98292cce503df02565a7ca8fee7aefb78e1421245fba66470

Download Submit
C:\windows\system\VPHS.exe

Filesize
208KB

MD5
42850fd14f23aa7c55820fb19ede80e9

SHA1
9bf5f1659132f3358db9e9662b947b754af3401c

SHA256
ca5a51ea40bf03674033f9d63de86e9d9453027f1c21a9fb4d58993988edaba3

SHA512
9b4455b8203eb3e059acde98f6e834858b81f2c68a9de08350a5e8335edd6e65b158d97826cdfa25a474cc177187c7eb145e855a2720c5f34fcd2985bba14416

Download Submit
memory/1152-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1152-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2232-19-0x0000000001C80000-0x0000000001CB8000-memory.dmp

Filesize
224KB

Download
memory/2232-18-0x0000000001C80000-0x0000000001CB8000-memory.dmp

Filesize
224KB

Download
memory/2232-20-0x0000000001C80000-0x0000000001CB8000-memory.dmp

Filesize
224KB

Download
memory/2980-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download