d48c3ad01262cd7d4a3d1c777937fb38e96c47ab19f53dbd5dda1fe1cdb3f76b

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe
Size

762KB
MD5

37274b609755ff032c62f6b8671e8b23
SHA1

bab02c7f352200518ed08148fa885ac5dea29d26
SHA256

d48c3ad01262cd7d4a3d1c777937fb38e96c47ab19f53dbd5dda1fe1cdb3f76b
SHA512

d4b565b441d483a1064bb8512e695e501a85678163aa815fb5538e7b6223c468d9017be0e94d20b8d3c88e2573aa075d98b4db9b2e6b72019c7cb5096c62dadb
SSDEEP

12288:9tobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTn3:9tDltItNW7pjDlpt5XY/2TkXKza/29z

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1148	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1684	37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2016	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1148	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1148	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe
1148	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe
1148	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1148	1684	37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	28
PID 1684 wrote to memory of 1148	1684	37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	28
PID 1684 wrote to memory of 1148	1684	37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	28
PID 1684 wrote to memory of 1148	1684	37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	28
PID 1684 wrote to memory of 1148	1684	37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	28
PID 1684 wrote to memory of 1148	1684	37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	28
PID 1684 wrote to memory of 1148	1684	37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	28
PID 1148 wrote to memory of 1692	1148	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1692	1148	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1692	1148	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	31
PID 1148 wrote to memory of 1692	1148	internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe	31
PID 1692 wrote to memory of 2016	1692	cmd.exe	33
PID 1692 wrote to memory of 2016	1692	cmd.exe	33
PID 1692 wrote to memory of 2016	1692	cmd.exe	33
PID 1692 wrote to memory of 2016	1692	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\nsd30B3.tmp\internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsd30B3.tmp\internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsd30B3.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsd30B3.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\18352.bat" "C:\Users\Admin\AppData\Local\Temp\1A82A8F3BC4D4081AB999742E5E23D39\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\$I7WXNWB

Filesize
544B

MD5
e39dbaf92bb95c8c95e504cc52ac59e2

SHA1
7d6e37ac8198f2391f447d8476cd501a4b6bf28c

SHA256
626d15875233d539b555c745bd1530118a5761cb5abef607af0191192b898a61

SHA512
33b5a04f60bd5a97787d98941a78f9a1dcddff94a97898682ba5919fc9eed8dee8aef2465a30ad6d8dca819752d6c5af4af5f1fb2d41b5b74b1f4b734bc719d2

Download Submit
C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\$IC25AZ9

Filesize
544B

MD5
66af1e325d16c0f25e8f86b642cfe1bf

SHA1
135b01ee3fdb618028093a08c4009e8ed08fe57a

SHA256
fffa017f7ea3aa231043ff781377b5528dbea7b03a70b07c3b7db32bb731dbc3

SHA512
38ac24d08f2d0828db3f569c9ae4420f70bd1aa482bd6dff68b9fbf90a47edc88e48b0154524d059f3f5af5c5c3bf3d05734ea1c8e57826ca464ed893eafad7b

Download Submit
C:\Program Files (x86)\tempo_21561

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\18352.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A82A8F3BC4D4081AB999742E5E23D39\1A82A8F3BC4D4081AB999742E5E23D39_LogFile.txt

Filesize
2KB

MD5
5d4f4ef616a896e5cb74189e16181368

SHA1
f7079caca438c38f3a21d0a4bef7afdab5543951

SHA256
a7d444f9b40ade18131dbb214dad94dfb13690781cd5a976721d0f8eac9e8ca7

SHA512
d5210cfa61912acf39b35e38bc0e8b4c156b85daf7db02c64d486c6c4e9ac484ad913ec4671c4bac4a6578ede54e5a68d23d32568bf00c98b75d1a49ae9c8b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A82A8F3BC4D4081AB999742E5E23D39\1A82A8F3BC4D4081AB999742E5E23D39_LogFile.txt

Filesize
3KB

MD5
168bf0cca98fe96a94320eee446f24ba

SHA1
b387ab1c02851b3156b75b3c1e2a87cc0d71af04

SHA256
b0f410e252f1e63d98f71ade39d4ac1c6f33b30268854088f9490ac1db9b256b

SHA512
bc6cb7e7d81a0e635335eefc9f1b5f9c6dfdd13a6509d7ee13bee0f6b70ff8043eb1ebc41eeb332002362ee86ec3943dc48162e5ad7dfc7c74f5a72dd2fd8f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A82A8F3BC4D4081AB999742E5E23D39\1A82A8F3BC4D4081AB999742E5E23D39_LogFile.txt

Filesize
5KB

MD5
0af1d7a1492001c7a9719172e8981114

SHA1
19ae5bf3b2707eadd06ec2240cd2d0e1582dc28a

SHA256
d885d63ade70363edc63dbcc4b72c183de83a347d3f39baedf5487bf39df175e

SHA512
798e8e89ed736c7e211181e2b896b45e620fedbca374a729ebf3843958dedd45b70820e0c78e68fa852b20762cf8817294567c83cfdd9c0a28e3b14db6cda41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A82A8F3BC4D4081AB999742E5E23D39\1A82A8~1.TXT

Filesize
24KB

MD5
ea1cfbd16b2d90c47ebc72ce52c64709

SHA1
e317c54f37ebf15647e143874eed450562c22cf4

SHA256
54e55a4f90e6e133ed7b35b1cb2cb34c66e898b4d708ed00fc723f4081c53617

SHA512
ac4c431b918fbb2f4de7ee36870eca79ae46c875653a7f39ed3692cc9a322c5aa1600acdbaf88ecdcb10a8cfab26f57a9517ec57c42830f26c28784810c364ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd30B3.tmp\internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd30B3.tmp\internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd30B3.tmp\internal37274b609755ff032c62f6b8671e8b23_JaffaCakes118.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
memory/1148-76-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1148-202-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1684-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1684-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download