f0473af393c1916c5299afba9c13c6a8d2edfd826210a6b68f4f41973025e428

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0aab662608829d526310f735cc42f2c9_JaffaCakes118.exe
Size

777KB
MD5

0aab662608829d526310f735cc42f2c9
SHA1

a932fd860f719edcdf0bee76857311bb41268a9d
SHA256

f0473af393c1916c5299afba9c13c6a8d2edfd826210a6b68f4f41973025e428
SHA512

2f5519deb31c9b653e9e659effe92d2320c69a173379a1bd8efb6f03a1654284e0f495fbbba0cb33651977f6bbdb6ca616e8c4ba0f076c53484184700ea5d9f0
SSDEEP

12288:yV8uPffOvun3aRm+uDkHUXNrJyjpdFNTyIma7VrUtUPH9:yV8uP9AuDH+xNTy8g+H9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2140	1A54.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2044	0aab662608829d526310f735cc42f2c9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2884	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2604	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2140	2044	0aab662608829d526310f735cc42f2c9_JaffaCakes118.exe	29
PID 2044 wrote to memory of 2140	2044	0aab662608829d526310f735cc42f2c9_JaffaCakes118.exe	29
PID 2044 wrote to memory of 2140	2044	0aab662608829d526310f735cc42f2c9_JaffaCakes118.exe	29
PID 2044 wrote to memory of 2140	2044	0aab662608829d526310f735cc42f2c9_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2672	2140	1A54.tmp.exe	30
PID 2140 wrote to memory of 2672	2140	1A54.tmp.exe	30
PID 2140 wrote to memory of 2672	2140	1A54.tmp.exe	30
PID 2140 wrote to memory of 2672	2140	1A54.tmp.exe	30
PID 2672 wrote to memory of 2884	2672	cmd.exe	32
PID 2672 wrote to memory of 2884	2672	cmd.exe	32
PID 2672 wrote to memory of 2884	2672	cmd.exe	32
PID 2672 wrote to memory of 2884	2672	cmd.exe	32
PID 2672 wrote to memory of 2604	2672	cmd.exe	33
PID 2672 wrote to memory of 2604	2672	cmd.exe	33
PID 2672 wrote to memory of 2604	2672	cmd.exe	33
PID 2672 wrote to memory of 2604	2672	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\0aab662608829d526310f735cc42f2c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0aab662608829d526310f735cc42f2c9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\1A54.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\1A54.tmp.exe" --stid="" --onl
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c taskkill /f /pid 2140 & for /l %x in (1,1,60) do ( ping 127.0.0.1 -n 2 -w 500 & del /q /f "C:\Users\Admin\AppData\Local\Temp\1A54.tmp.exe" & if not exist "C:\Users\Admin\AppData\Local\Temp\1A54.tmp.exe" ( exit ) )
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /pid 2140
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2884
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2 -w 500
      4⤵
      Runs ping.exe
      PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\1A54.tmp.exe

Filesize
777KB

MD5
0aab662608829d526310f735cc42f2c9

SHA1
a932fd860f719edcdf0bee76857311bb41268a9d

SHA256
f0473af393c1916c5299afba9c13c6a8d2edfd826210a6b68f4f41973025e428

SHA512
2f5519deb31c9b653e9e659effe92d2320c69a173379a1bd8efb6f03a1654284e0f495fbbba0cb33651977f6bbdb6ca616e8c4ba0f076c53484184700ea5d9f0

Download Submit
memory/2044-0-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2044-1-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2044-9-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2140-10-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2140-13-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download