186d44f7e717137701f7e04a7e9844c0715c8fa442d249b4e7b179472675dbf4

Analysis

max time kernel
140s
max time network
117s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.exe
Size

4.4MB
MD5

3782d71aa80c91d491ca8fd567900db1
SHA1

5e6fadea0cc841b7ac3f9290435d10eba1cc2afd
SHA256

186d44f7e717137701f7e04a7e9844c0715c8fa442d249b4e7b179472675dbf4
SHA512

8dae0e58c29401fba49b5517398ed3faa5492c534f4d2b7057163c5e756034c1b2313ac4327e4a3d2a5db8f7978d49032ea853c1f82735826cb744d488a62ab3
SSDEEP

98304:f/yDz5h1Gg6zpkC4qVxvV87rEzDCXOsLjECK6RNEq2Tp5R6a4:HSzekjmAgzNejECnRKpfb4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2204	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.tmp

Loads dropped DLL 4 IoCs

pid	Process
2732	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.exe
2204	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.tmp
2204	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.tmp
2204	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2560	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2204	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2204	2732	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.exe	28
PID 2732 wrote to memory of 2204	2732	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.exe	28
PID 2732 wrote to memory of 2204	2732	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.exe	28
PID 2732 wrote to memory of 2204	2732	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.exe	28
PID 2732 wrote to memory of 2204	2732	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.exe	28
PID 2732 wrote to memory of 2204	2732	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.exe	28
PID 2732 wrote to memory of 2204	2732	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.exe	28
PID 2204 wrote to memory of 2560	2204	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.tmp	29
PID 2204 wrote to memory of 2560	2204	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.tmp	29
PID 2204 wrote to memory of 2560	2204	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.tmp	29
PID 2204 wrote to memory of 2560	2204	3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.tmp	29

C:\Users\Admin\AppData\Local\Temp\3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\is-ACA60.tmp\3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ACA60.tmp\3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.tmp" /SL5="$400EE,4106734,132096,C:\Users\Admin\AppData\Local\Temp\3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im "secrev.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-ACA60.tmp\3782d71aa80c91d491ca8fd567900db1_JaffaCakes118.tmp

Filesize
1.1MB

MD5
7082f12af9b2f8f3849d40fee4b85c99

SHA1
c67cbacd7b23e0c81489de2f1621b5f7c4a30f38

SHA256
160017d45bb768179499b608f4e492dafa715bb5b8088ecbe49cda062085cf1d

SHA512
8ff1564eaa8dffb05a0aed91155246661dd56999f32b3312c2a449bb29add57f19ab427d4dcd7e2582e5f5a8bec76bf911fccb9b72c2fcfb9d0c4f46a7e5ae30

Download Submit
\Users\Admin\AppData\Local\Temp\is-JQ574.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-JQ574.tmp\isxdl.dll

Filesize
147KB

MD5
4beded47aa9b07f05a56c0f97331d1a4

SHA1
c2b4df1ad01c5f9b7fb60694312444450f285dbe

SHA256
da171a2e0eec75f372d1fc0a69be17a4a7d519908a6f75b76abe6ec7ab71d284

SHA512
488e68d604259d0d2e546edf45429ace33054dbc71098977e82b43c4c97ba341d1a4bdab4170e48a5178423183bb06ff947149cfbeb8b868b4175996b211cfc7

Download Submit
memory/2204-8-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2204-20-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2732-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2732-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2732-19-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download