34f20f8a85fcc289b39ef0a2e15361a77cd94f868208280fbfbdd3344804284b

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 13:12 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20aaeaf0dd9c0209eab13035a49358c1_JaffaCakes118.exe
Size

1.6MB
MD5

20aaeaf0dd9c0209eab13035a49358c1
SHA1

3071971110d844df6ea33101701861b62b12c9b4
SHA256

34f20f8a85fcc289b39ef0a2e15361a77cd94f868208280fbfbdd3344804284b
SHA512

b6f254b809f25d1323ce5c9881400edc222f193b387746164069c1cca741fca34ffb68b43cb89fade925e4c4dd9b5ff0355322cd5230525e08840874ac8a2b19
SSDEEP

49152:l7GjEwqvFcH8Bx9AD90SsLYOwZep0KbNjP:RvFccBx9k1DKZjP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2688	Install.exe

Loads dropped DLL 3 IoCs

pid	Process
1992	20aaeaf0dd9c0209eab13035a49358c1_JaffaCakes118.exe
2688	Install.exe
2688	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2688	Install.exe
2688	Install.exe
2688	Install.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2688	Install.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2688	1992	20aaeaf0dd9c0209eab13035a49358c1_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2688	1992	20aaeaf0dd9c0209eab13035a49358c1_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2688	1992	20aaeaf0dd9c0209eab13035a49358c1_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2688	1992	20aaeaf0dd9c0209eab13035a49358c1_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2688	1992	20aaeaf0dd9c0209eab13035a49358c1_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2688	1992	20aaeaf0dd9c0209eab13035a49358c1_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2688	1992	20aaeaf0dd9c0209eab13035a49358c1_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\20aaeaf0dd9c0209eab13035a49358c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20aaeaf0dd9c0209eab13035a49358c1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\files\NetPanel.ini

Filesize
339B

MD5
0ffdd1daba927b2e3df9dada3b18d56a

SHA1
d6eee2e03ce75282182cf0a4fc07306f528522fd

SHA256
8f7973b9f22295dd29373803d77bf3e250ec3a61ccc2c5760be07d9ed8649277

SHA512
70f1e7872ceb7e87a63ccd872b4cd8bdd3e3ec70ede3e767bcd43f53420e7324ea6a109527c1e85f509c26370158019e9c3577631c3d27510ea0043e542327ed

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
1018KB

MD5
d8261b5215e32da1bb32a03a207a6722

SHA1
9c46c455145ffcaa3c3a123568df7db7f08cdc11

SHA256
511b236e51d3095fe44ca091ee6d00677f842edbdcb1e849c60ae515b63798c4

SHA512
efea1a81ea1a53ba9c7b778a74a0c5a7557850d22396d928e88e382034806364afd008b131b66e6b2d07097481fe1865feab28d2c20143d9bf789db12325607e

Download Submit
memory/1992-27-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download