bf0251e3e76a263068db92373e19bd646c695f75f5100799c569c76dd92c0c8b

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e51912989e3831ccd201c1c1bf5ffc5_JaffaCakes118.exe
Size

1.1MB
MD5

0e51912989e3831ccd201c1c1bf5ffc5
SHA1

d342cf8dd2382195f1e76491074fa748cda3dfc2
SHA256

bf0251e3e76a263068db92373e19bd646c695f75f5100799c569c76dd92c0c8b
SHA512

e4a85524f9afbbbb7f06dcddff648641dd40667823d1f2ab14cbece7b344e1fa843ad120fac7af3b3f1d5506334b9a9dca3755fe0d31f0aa58396e75999f4d7e
SSDEEP

24576:XZfAw3bLCl2wbReC0GTezBMOQtBosaPJZEz+f6c5xlgHbX:9Hb+lJbRvPTmxQtTaPJZESVlmbX

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1632	0e51912989e3831ccd201c1c1bf5ffc5_JaffaCakes118.exe
1632	0e51912989e3831ccd201c1c1bf5ffc5_JaffaCakes118.exe
1632	0e51912989e3831ccd201c1c1bf5ffc5_JaffaCakes118.exe
1632	0e51912989e3831ccd201c1c1bf5ffc5_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1480	1632	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1480	1632	0e51912989e3831ccd201c1c1bf5ffc5_JaffaCakes118.exe	29
PID 1632 wrote to memory of 1480	1632	0e51912989e3831ccd201c1c1bf5ffc5_JaffaCakes118.exe	29
PID 1632 wrote to memory of 1480	1632	0e51912989e3831ccd201c1c1bf5ffc5_JaffaCakes118.exe	29
PID 1632 wrote to memory of 1480	1632	0e51912989e3831ccd201c1c1bf5ffc5_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\0e51912989e3831ccd201c1c1bf5ffc5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e51912989e3831ccd201c1c1bf5ffc5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 620
  2⤵
  - Program crash
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst19E8.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nst19E8.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
\Users\Admin\AppData\Local\Temp\nst19E8.tmp\utils.dll

Filesize
167KB

MD5
49bbea53054a3e53a8f24fd7ab97be44

SHA1
7ab42d62efb2d56ce6fab5e37aaf4478ae428daf

SHA256
fd162cc491484bb0009afe40dcef245bb7802af5b63b9c1ca12e2f22fed31341

SHA512
6baaa63910bdc93717556ed3f9f1fca9743488f1e1d7a5005ba3dbe44dce800019658556d7f3518e758ba18ab653d351bba6bbfb5c92f8c6b21fc2fc0a20cf7e

Download Submit
memory/1632-4-0x00000000003D0000-0x00000000003E3000-memory.dmp

Filesize
76KB

Download