3831ac4bae020c1106321ee7ca393300f9717d55a5d284b6507ea5ec012db0c6

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 05:50

Target

2891a7fac1ac1f1f93bdf9ab0715fc93_JaffaCakes118.exe
Size

1.6MB
MD5

2891a7fac1ac1f1f93bdf9ab0715fc93
SHA1

5a03d25666cf9372e54c30b444405db45edd35c4
SHA256

3831ac4bae020c1106321ee7ca393300f9717d55a5d284b6507ea5ec012db0c6
SHA512

e36eadc598a1b08c0bfe00cd03b4803163be3d1a84fa2c882fedf481214363031b494dd869416274788dab488c1d1123c64aa16fba9ecdef42a7d17fc4af5d9a
SSDEEP

24576:oTJNCX4btC/vnWr8fuXUVMMIhWLwJKd8l4LYWKt4NB69bA5rV4Yihe5Cpnz:rIpgWNMjLwQdQ4/KGNBebA5rOYiZnz

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
4260	2891a7fac1ac1f1f93bdf9ab0715fc93_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4260	2891a7fac1ac1f1f93bdf9ab0715fc93_JaffaCakes118.tmp
4260	2891a7fac1ac1f1f93bdf9ab0715fc93_JaffaCakes118.tmp
4260	2891a7fac1ac1f1f93bdf9ab0715fc93_JaffaCakes118.tmp
4260	2891a7fac1ac1f1f93bdf9ab0715fc93_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 4260	3700	2891a7fac1ac1f1f93bdf9ab0715fc93_JaffaCakes118.exe	79
PID 3700 wrote to memory of 4260	3700	2891a7fac1ac1f1f93bdf9ab0715fc93_JaffaCakes118.exe	79
PID 3700 wrote to memory of 4260	3700	2891a7fac1ac1f1f93bdf9ab0715fc93_JaffaCakes118.exe	79

C:\Users\Admin\AppData\Local\Temp\2891a7fac1ac1f1f93bdf9ab0715fc93_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2891a7fac1ac1f1f93bdf9ab0715fc93_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Users\Admin\AppData\Local\Temp\is-29VNT.tmp\2891a7fac1ac1f1f93bdf9ab0715fc93_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-29VNT.tmp\2891a7fac1ac1f1f93bdf9ab0715fc93_JaffaCakes118.tmp" /SL5="$501D0,987698,70144,C:\Users\Admin\AppData\Local\Temp\2891a7fac1ac1f1f93bdf9ab0715fc93_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4260

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\is-29VNT.tmp\2891a7fac1ac1f1f93bdf9ab0715fc93_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VEDOA.tmp\setupcfg.ini

Filesize
44B

MD5
491dbc1a2e42c7004d52a7bf0a3a8426

SHA1
26fa85425e12743ad89cd11acbc965ffb40451ad

SHA256
f6deb99c090cef18920ef515b56c7cf8e4e3e7edef025823ab904a0985877582

SHA512
ac95da3b100486b0059671f240af5eaad0a98ef90572f25bf4b572dc414370e66b862908bc36d5d46a1a175918f2cf572a3168fd5f631f0c3681518b95c0ab76

Download Submit
memory/3700-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3700-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/3700-38-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4260-7-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4260-39-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download