49362b91fada3e61b4314384c454e60fcd42e82de1693d89483eacba6fc0563a

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcc318548f7dc8e89019a09677b743e9_JaffaCakes118.exe
Size

138KB
MD5

dcc318548f7dc8e89019a09677b743e9
SHA1

6b187523d177dd89190d77824a29113bbcd41065
SHA256

49362b91fada3e61b4314384c454e60fcd42e82de1693d89483eacba6fc0563a
SHA512

1b6ad2c6674a209ed629ac1c1cb6f8f70b964dd5aa76421d1bd8443def6e67a7ffbf23799af4059667c19ec823d6bf2703658ea2a928dc21fdac195394d434ad
SSDEEP

768:M/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJMU60+ppQ1TTGfLsHkLR:MRsvcdcQjosnvnZ6LQ1EMyR

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
griptoloji
Password:
741852

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1056	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1252	dcc318548f7dc8e89019a09677b743e9_JaffaCakes118.exe
1252	dcc318548f7dc8e89019a09677b743e9_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	dcc318548f7dc8e89019a09677b743e9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	dcc318548f7dc8e89019a09677b743e9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\UF	dcc318548f7dc8e89019a09677b743e9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe
1056	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1056	1252	dcc318548f7dc8e89019a09677b743e9_JaffaCakes118.exe	28
PID 1252 wrote to memory of 1056	1252	dcc318548f7dc8e89019a09677b743e9_JaffaCakes118.exe	28
PID 1252 wrote to memory of 1056	1252	dcc318548f7dc8e89019a09677b743e9_JaffaCakes118.exe	28
PID 1252 wrote to memory of 1056	1252	dcc318548f7dc8e89019a09677b743e9_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\dcc318548f7dc8e89019a09677b743e9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dcc318548f7dc8e89019a09677b743e9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
  "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
138KB

MD5
9c8a1fe1d8feb00b9d4d14bf8cc72801

SHA1
9d1afeebe270af96b4e894403a82a7eafd16b932

SHA256
dfeeb19442bc01cfc915652abe5891cc6dadf69cf6680afd59e60ef934914a09

SHA512
05bebded1d808f57cf822db3e282530d885077fcc1d1fd30bb9e174717b1cd76f36987db57a08c87538346c2f1a106a7ec036aa4198d3de2e4adb5eb599a0f49

Download Submit
memory/1252-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1252-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download