b584e51d2963e09d6131b4478278aae81f8671eab799780a03a85b37b0546844

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe
Size

762KB
MD5

33f2ea12e7c2a0617631cd2c06213c43
SHA1

5dd1e34134293ea1b2c19a274a846637430b322f
SHA256

b584e51d2963e09d6131b4478278aae81f8671eab799780a03a85b37b0546844
SHA512

252d4d9276c6c6ed8ff6a8865ba55775c73e10e87579221b5cabe63e313a1307f0a896073ee28902953894c557fe2d1487e4fa2879f84c3273ce1d161ecdbf37
SSDEEP

12288:2tobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnV:2tDltItNW7pjDlpt5XY/2TkXKza/29h

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1724	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
328	33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1756	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1724	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1724	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe
1724	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe
1724	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 1724	328	33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	28
PID 328 wrote to memory of 1724	328	33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	28
PID 328 wrote to memory of 1724	328	33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	28
PID 328 wrote to memory of 1724	328	33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	28
PID 328 wrote to memory of 1724	328	33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	28
PID 328 wrote to memory of 1724	328	33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	28
PID 328 wrote to memory of 1724	328	33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	28
PID 1724 wrote to memory of 2956	1724	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	31
PID 1724 wrote to memory of 2956	1724	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	31
PID 1724 wrote to memory of 2956	1724	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	31
PID 1724 wrote to memory of 2956	1724	internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe	31
PID 2956 wrote to memory of 1756	2956	cmd.exe	33
PID 2956 wrote to memory of 1756	2956	cmd.exe	33
PID 2956 wrote to memory of 1756	2956	cmd.exe	33
PID 2956 wrote to memory of 1756	2956	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328
- C:\Users\Admin\AppData\Local\Temp\nsi23B8.tmp\internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsi23B8.tmp\internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsi23B8.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsi23B8.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\15914.bat" "C:\Users\Admin\AppData\Local\Temp\CA5D164E7193415E8EDEE8C186D98B16\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\$IH1XCN9

Filesize
544B

MD5
6104e9d6b3dfcffb93069c8fd1ef437a

SHA1
e5be5c6c61375af25ac0215874c4abe342b51f00

SHA256
4d06bc7a74948853b949530b7ab2181394addaaeb356497f4649dc094e44b9cd

SHA512
1857ee1c92938fc042e325c854c9161531e6065236f6de74fa07c2897d388315bbc6c4c43597585055e10529242818e87461ecaf2f308f01166b88080a217c8e

Download Submit
C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\$ILLTYQO

Filesize
544B

MD5
30544cf77c492e59318fa3f0cee57027

SHA1
cce28938b91c7ed61085e16ae419dfe5fa478a84

SHA256
3978df6031eae493e679c5de8ab4662f80f239d5faed27659c174ae56b7140cf

SHA512
6614419f64fadf811cea3fc81142e0407b5a93ce0bbdefff2b4edf3c06cc12d9fa694d98d69de8a9a3cdcdb630320167da99e32245e1431e007e47d50561f4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\15914.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA5D164E7193415E8EDEE8C186D98B16\CA5D164E7193415E8EDEE8C186D98B16_LogFile.txt

Filesize
2KB

MD5
d26c116d8a85fde6a22eb9e23c3af6ba

SHA1
8dd773e6bf89b2dbe53e202f2cb1dbc3ecbc5939

SHA256
32a6cedb3140be21aa8e33958e03ea35f9565907ace1dc02694a51dfc195196c

SHA512
e138d6ae551aaa8b2cacde2470f13c2c2309430c1b3f5c1f1bb7edb63fa6e1dab630cbb6b55b8f5ce075e5bbc7a508e7e97cd86d019d1ce1a5c9e01917555a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA5D164E7193415E8EDEE8C186D98B16\CA5D164E7193415E8EDEE8C186D98B16_LogFile.txt

Filesize
3KB

MD5
c53448b5c212258475e9754cc05b0088

SHA1
4e91e6b682896b77eb0e0799406c691f4280c9a7

SHA256
043fac9970a53362c440721d77f43b7738f06639e370a9a64d6885307f33a2f7

SHA512
68e584285dcdff1ed6b0481e4dc61dff9ac4c9e45888f247e0cb583041719c0a406987424a02e23c22eec58cd9658d4fb6980093f64d4e54da82c2dc386432ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA5D164E7193415E8EDEE8C186D98B16\CA5D164E7193415E8EDEE8C186D98B16_LogFile.txt

Filesize
5KB

MD5
865bb0d5ae2ce22b3c380ea3174e7955

SHA1
7da95b83f938c36e5746d7646161f9399ec003aa

SHA256
ca3f576a6c44c722261be95ffdc00301454c620ccbe0a84c2e9c7b23198cb086

SHA512
d1e16f06396236b48cb7057189f40bcf88d924fdc28d57702c1dcc61c9265c939de646d5b739ba6ee816c0cfcb22b642f8e7bd4542796cb05430fc02e38a8d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA5D164E7193415E8EDEE8C186D98B16\CA5D16~1.TXT

Filesize
28KB

MD5
c4a4cf5ebefb1c63f6f60fb91eb1506d

SHA1
c94c07a6607b3c1ecdacef2ac506827e0ce4a971

SHA256
803776ff232c316988077de04f7e9b11d89b77413dcac05cc2775582d49df894

SHA512
efe10460f0e2f9fa73b333dcb794dcd16110a880fa7f6d0853aa09deb336301f4c821a8ff6e63fc1368d8d7529d6f227f9121d5ad8a38c9fba7f0087248f2d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi23B8.tmp\internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi23B8.tmp\internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi23B8.tmp\internal33f2ea12e7c2a0617631cd2c06213c43_JaffaCakes118.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
memory/328-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/328-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1724-76-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1724-213-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download