15f6bb330fb0dfb126266f0b08c4ad6d2e59c3d21bff75a2e31b19aed52762b9

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 06:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

38b095c929ec88d67462c02e70d32331_JaffaCakes118.exe
Size

1.6MB
MD5

38b095c929ec88d67462c02e70d32331
SHA1

1a8a6340080650307b6f4c8819cb87c4cfeed621
SHA256

15f6bb330fb0dfb126266f0b08c4ad6d2e59c3d21bff75a2e31b19aed52762b9
SHA512

ede690b0ab92902099703bbb77c04337618e38e1c87debc20819c99dbb23e745d0d95727c87ef088bbc51252e05d440439012254f11169c07624b0fde6f75d1f
SSDEEP

49152:QZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9a:QGIjR1Oh0Te

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
296	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1644	38b095c929ec88d67462c02e70d32331_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1644	38b095c929ec88d67462c02e70d32331_JaffaCakes118.exe
1644	38b095c929ec88d67462c02e70d32331_JaffaCakes118.exe
1644	38b095c929ec88d67462c02e70d32331_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1952	1644	38b095c929ec88d67462c02e70d32331_JaffaCakes118.exe	30
PID 1644 wrote to memory of 1952	1644	38b095c929ec88d67462c02e70d32331_JaffaCakes118.exe	30
PID 1644 wrote to memory of 1952	1644	38b095c929ec88d67462c02e70d32331_JaffaCakes118.exe	30
PID 1644 wrote to memory of 1952	1644	38b095c929ec88d67462c02e70d32331_JaffaCakes118.exe	30
PID 1952 wrote to memory of 296	1952	cmd.exe	32
PID 1952 wrote to memory of 296	1952	cmd.exe	32
PID 1952 wrote to memory of 296	1952	cmd.exe	32
PID 1952 wrote to memory of 296	1952	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\38b095c929ec88d67462c02e70d32331_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38b095c929ec88d67462c02e70d32331_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\22386.bat" "C:\Users\Admin\AppData\Local\Temp\4913FA6C45F4442CA3CB08525C859AD3\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22386.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\4913FA6C45F4442CA3CB08525C859AD3\4913FA6C45F4442CA3CB08525C859AD3_LogFile.txt

Filesize
5KB

MD5
c1e3b7c4dd05cf65d2c611154ce3b2db

SHA1
7efeaad1e51cc033c913eba411adfce787788a4e

SHA256
ea96419bf30d60ec9f8370deafbfdef6812c858a7703430e8adf60301667f68f

SHA512
9d7dd64ca5a7e31c49531323422cb2f8d96a311b85760e012b9ed35526ff7137e8a1ceafed80415d618d7a0fd1ab88f49895bdf032aa087fb075da3c55101368

Download Submit
C:\Users\Admin\AppData\Local\Temp\4913FA6C45F4442CA3CB08525C859AD3\4913FA6C45F4442CA3CB08525C859AD3_LogFile.txt

Filesize
6KB

MD5
fe550c4c787a6a943012589c5c956fbb

SHA1
e3034cfce9cae418590ac615727c08fa8c227111

SHA256
7b0ad1c76a35efc823d48ea69427ea5894f9b8b98147b418b357a76fcd895085

SHA512
a940afdafd8c053f4f4c8d8d4598b86f831d80ac0b16841f8606a42df07e0688f6175edc6273bf0656d6cda40162a393d38814aedb1c6e24e551709d267563dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\4913FA6C45F4442CA3CB08525C859AD3\4913FA~1.TXT

Filesize
103KB

MD5
983871a0a5916c717bcbff018960bce1

SHA1
e5632d2815b0ca7001cbceea3e725c85c8709186

SHA256
0dbfb7131f1492d184091726cee3f176cc112f2325da41bca5f0952af2403150

SHA512
8d1ffae4eae7dca25f599779ca7b08b26ec1b06980333474bd5d1624e11a625478415eb3325352de4f83db34480cb5a8457486aafd47b8ec269ca89845bde646

Download Submit
memory/1644-61-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1644-183-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download