a7fcf790b59ef1cfc8dec3655474f90cdb41a8fea6d9ae9cf0d2d8703144714a

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-05-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe
Size

931KB
MD5

167c0f4885cb6d9fc13c967bfceeb939
SHA1

eae2bd8f375e9dcd93715c6e80e5dbf9d7604a36
SHA256

a7fcf790b59ef1cfc8dec3655474f90cdb41a8fea6d9ae9cf0d2d8703144714a
SHA512

89654a104dd5c482f86503e26bb0c0df71d817643c32d3b39bc8c14a88145a6291dca67daaea1acd7e8966f64afc3eebedf6c9da12f21cda3fdd69a08ec4bb5c
SSDEEP

24576:ntg0NmSRwZ/3WubQ41c0pGxCjpTM7+2vWc+Yt08:nxs6e3WH41/pGxYm7UcpN

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2616	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
1400	167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe
1400	167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2616	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2616	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe
2616	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe
2616	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2616	1400	167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	28
PID 1400 wrote to memory of 2616	1400	167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	28
PID 1400 wrote to memory of 2616	1400	167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	28
PID 1400 wrote to memory of 2616	1400	167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	28
PID 1400 wrote to memory of 2616	1400	167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	28
PID 1400 wrote to memory of 2616	1400	167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	28
PID 1400 wrote to memory of 2616	1400	167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	28
PID 2616 wrote to memory of 892	2616	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	32
PID 2616 wrote to memory of 892	2616	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	32
PID 2616 wrote to memory of 892	2616	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	32
PID 2616 wrote to memory of 892	2616	internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\nsd8D05.tmp\internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsd8D05.tmp\internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe /baseInstaller='C:/Users/Admin/AppData/Local/Temp/167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsd8D05.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\8449.bat" "C:\Users\Admin\AppData\Local\Temp\0ECC11B502174C73AA64D60A8FF285C5\""
    3⤵
    PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\$I3T59JR

Filesize
544B

MD5
4ad8f5e4185ab94a79a2e01c6b3cfd30

SHA1
8854ccda504e9b2453094d5b16edb3680db58860

SHA256
9a93acd127cb8128cfa75de0627820aa196e0026c21b8ca624aea94281e7765b

SHA512
1d5603c7858ca42bb31cf42185a9a0a5fed4f16c2310046d0d8f0c2babc8840574862ebb4c17243fcfd6d475c7f1ac739886cac9e981364bd213b441ffc672a4

Download Submit
C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\$IKFLQXC

Filesize
544B

MD5
61eeb4826a6765185cfe96ab9196674d

SHA1
7246e526a6bbb1f646006ade93432da9b2f11e29

SHA256
2f567b742baef0158d7fd168eee4c07b191ab5b9e4ead7417379f89b0aa0944b

SHA512
40abd952a8176eb8d583f9b6d7c45a5e75e0b1dbfd8020ec6a5b3e5c2094c9dd6a8bbf0d679d994c0f10f8d72fad07158ed87f7377dfe616bedf982a055647ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ECC11B502174C73AA64D60A8FF285C5\0ECC11B502174C73AA64D60A8FF285C5_LogFile.txt

Filesize
9KB

MD5
1a0c7b32bcf3a41eb044f6e2d4696b69

SHA1
a22e3add1de9e35f4cfb02d73559344a36dc6534

SHA256
854ef3712cbfcfac39a7fdb7596e7891d1cd71cf135eddc92d74fbe6bd9eaf7f

SHA512
b4b5b5efddc76666dd538957f97b0f5b2be4d94be2b78add89a81659097e32dcd035cb797ace770dfd640e99e40bf2fc94aa53c055213aed03c7703855ceae15

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ECC11B502174C73AA64D60A8FF285C5\0ECC11~1.TXT

Filesize
109KB

MD5
0d585ef42a091727295a59f0a684f100

SHA1
24c8bb172154a16ee70cb998fd84e0699eb58fe3

SHA256
e75cd0d6e149fc43c3bb3bff58d6742a7d995dd5763f5516d331dbc31f70fa6a

SHA512
d155be0b3d9eab17eae4885bddabac46fb4b9cc9688b77682dfe8ac252433b972aef324eda10d221fc117d809270a6bf50afcd630471815dfa8d94806647a6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8449.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8D05.tmp\internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118_icon.ico

Filesize
31KB

MD5
49423adffcdebeebd07c5685043a2de5

SHA1
250c7979deebd09963172460d88081ae8a094552

SHA256
a173c1085b8f2227909c0980a4aa6611670eba7869a34228d011019a5675b089

SHA512
32d18c09cb21d9755a68e1d6d75dda8fb4ad297b3d6359765a56856f1a0f6fed47532ecec039b016c73a2967e62d44606415610ae42cec77ae815b164a7f5dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8D05.tmp\internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118_splash.png

Filesize
143KB

MD5
376138929342a1d86d97c9382da9cdd3

SHA1
d9344a3797e105214357b575d22ab7565bf0aa9b

SHA256
b50608c3355c6dacd183da40af82d87fbd41c6af8074617266c237416055bb7c

SHA512
35fb73515970d257b682c50bff6b6cadedd79906e212c3ab80835f03de9602fecc29459d205c497b26fbf86a625de005d1f6f98117d9c17ccb1926cd39ff756c

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8D05.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8D05.tmp\internal167c0f4885cb6d9fc13c967bfceeb939_JaffaCakes118.exe

Filesize
1.8MB

MD5
e35e058dd2119eb0f0e852f8738fbab5

SHA1
b7f9388398a9643eddb97a6c2ebaf28b6189c9a8

SHA256
17158e4838c580edce7f87e677531324579734a5ffbabefac8ce038030f11556

SHA512
d42ec1b3875e5a5cb23e520c2633081304d61ea282407dbb52d4b8c58bee4ccec377e291b485d6e6f5490920838c4b520fcd029897c6be4ac5da3bf19e46ac2c

Download Submit
memory/1400-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1400-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2616-79-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2616-213-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download