4ef2cf76837976d50710e7e011e785505a3004e481696ebb6e0ff0c27e9079ba

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe
Size

762KB
MD5

1fbf2dbee1cc89d2281e5c80d0ee1695
SHA1

475328b85303df68ff1ec614e7830bcb4b1cecf9
SHA256

4ef2cf76837976d50710e7e011e785505a3004e481696ebb6e0ff0c27e9079ba
SHA512

6a6d39443189b6c7b826240845404602926a39f78100c27824b9072e677f0a78a2e555744b71767f5319f00d41caecccadf7166478052e8b6d182ff5ab3f8776
SSDEEP

12288:/tobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTn9:/tDltItNW7pjDlpt5XY/2TkXKza/29x

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2008	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1048	1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1752	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2008	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2008	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe
2008	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe
2008	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2008	1048	1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	28
PID 1048 wrote to memory of 2008	1048	1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	28
PID 1048 wrote to memory of 2008	1048	1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	28
PID 1048 wrote to memory of 2008	1048	1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	28
PID 1048 wrote to memory of 2008	1048	1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	28
PID 1048 wrote to memory of 2008	1048	1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	28
PID 1048 wrote to memory of 2008	1048	1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	28
PID 2008 wrote to memory of 3000	2008	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	31
PID 2008 wrote to memory of 3000	2008	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	31
PID 2008 wrote to memory of 3000	2008	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	31
PID 2008 wrote to memory of 3000	2008	internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe	31
PID 3000 wrote to memory of 1752	3000	cmd.exe	33
PID 3000 wrote to memory of 1752	3000	cmd.exe	33
PID 3000 wrote to memory of 1752	3000	cmd.exe	33
PID 3000 wrote to memory of 1752	3000	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\nso23D8.tmp\internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nso23D8.tmp\internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nso23D8.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nso23D8.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\30386.bat" "C:\Users\Admin\AppData\Local\Temp\24270EFFDFCC44E6B8BD4CE9D5CAF865\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\$I46H2A5

Filesize
544B

MD5
1016ebffb608565fe36804a5f7ab2418

SHA1
69e298e28559971eee2ecd746622f1b3e063a65d

SHA256
48ec790ba01ffc1ecd7e2681d96fffd78b927135b9c5300ab75f73d3639493a6

SHA512
e2a3e4de01219ba813339f32d647eee0da053d230930ca95464edeeb33761159a8b56f54b6ddf2711280e806fbabcd8f58fbeaf60e9aaf93e2835cbeebbd4af4

Download Submit
C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\$IJOQZ4C

Filesize
544B

MD5
4a54a5d937fa632df04a7adee0dad600

SHA1
d9df6809efdc02917827872ba33091db384098eb

SHA256
4bcb7973183c5f422b50b94d99d8aaa0cb9d2d7b747a1e86fe4cc1dc331661b9

SHA512
bdb96bed202b96d9c3bb02707abc20805e8aca3c65fb556dd3209286892cddabc36491a10e9cb53a65dbf4a84aa9b1f99624159ed0d2e1ca3b3f95e56a9b5ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\24270EFFDFCC44E6B8BD4CE9D5CAF865\24270EFFDFCC44E6B8BD4CE9D5CAF865_LogFile.txt

Filesize
1KB

MD5
dfef5cf5989ff81209f146a5941a09c3

SHA1
7cf9e65ef890f248647c7edaad1c02e024991458

SHA256
a5263767ecb8d4c6fc8ff0647ac884e966be90e9f654f1d465fed80eb558f44b

SHA512
c4bd0c95efe416c968e59d933e6f4b60a9f1d45339e7dc26ef4b5e01239eb0aa72060718a3137fb718a8dec82542b54f004a860c4d1611efc5bdbb65163aa229

Download Submit
C:\Users\Admin\AppData\Local\Temp\24270EFFDFCC44E6B8BD4CE9D5CAF865\24270EFFDFCC44E6B8BD4CE9D5CAF865_LogFile.txt

Filesize
3KB

MD5
0a3bc38f41fc07bcb9cda842b992d824

SHA1
217bfde6e4a650709f421681d8055ef3eb1089a5

SHA256
88f9d6116875defb703a3e8b032a608335d06967ed929de572745be0400505f9

SHA512
f40f649f485b59d4448fafeb4b03a12da0a39fe9802f497476b492b91b534ba57f09bb9ccff2fc78c668e1e3f0273a559df6b9f6303a7da7fd9f0b658c7823c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\24270EFFDFCC44E6B8BD4CE9D5CAF865\24270EFFDFCC44E6B8BD4CE9D5CAF865_LogFile.txt

Filesize
5KB

MD5
1d1d5a4c112ef9fc1590bb276d9671b8

SHA1
a204eb5a949d223a3d4da765600cf98437943c2c

SHA256
de7fc3566bfd11fc0e5769e0c2cb5b5ce43c34945b87ff4d26f2a0321e55c8ae

SHA512
ca3647ff485378837c47aa40a0177d5dbc170fd5bbd67ac638d91e80b9edc6f96144ad5756105e094749e77f92e998c01c72652979ac77b0871204d42053947f

Download Submit
C:\Users\Admin\AppData\Local\Temp\24270EFFDFCC44E6B8BD4CE9D5CAF865\24270E~1.TXT

Filesize
27KB

MD5
30de9a8b5e309d12c3970b89d0db8fc3

SHA1
d56d005753d8dc442d997a40b1fc66055833800c

SHA256
9484877784aa96538b3bb975cc5673a7de0f28847f334b982490bffe14d481e7

SHA512
37545414f0a209a811cff42b4ace660ec20eaddc33dffd1f9641324c81d486b40d478564294c8796abdee991e64cbf450ded134088b728730763d5bee3ca335c

Download Submit
C:\Users\Admin\AppData\Local\Temp\30386.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso23D8.tmp\internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso23D8.tmp\internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
\Users\Admin\AppData\Local\Temp\nso23D8.tmp\internal1fbf2dbee1cc89d2281e5c80d0ee1695_JaffaCakes118.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
memory/1048-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1048-291-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2008-76-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/2008-207-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download