ceb39bd7270666c09534f6d54d2715e3e74652d28c494d9e73664de655164387

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe
Size

1.6MB
MD5

3a2409969f1bfa669f1d339c8ac9fa1f
SHA1

afaa363108d2c91f6cea4684a3299fa992a23b0c
SHA256

ceb39bd7270666c09534f6d54d2715e3e74652d28c494d9e73664de655164387
SHA512

463ee6728abb25a80274b9ab87898cbaa7366531ab8e3368298b2112f54bb4dc3025597b0c1ffcb46014811a057d6e01af64e64a0a37088cea67c63f92e8274e
SSDEEP

49152:/Zgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S93:/GIjR1Oh0Tj

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1876	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2068	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2068	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe
2068	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe
2068	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1504	2068	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe	30
PID 2068 wrote to memory of 1504	2068	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe	30
PID 2068 wrote to memory of 1504	2068	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe	30
PID 2068 wrote to memory of 1504	2068	3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe	30
PID 1504 wrote to memory of 1876	1504	cmd.exe	32
PID 1504 wrote to memory of 1876	1504	cmd.exe	32
PID 1504 wrote to memory of 1876	1504	cmd.exe	32
PID 1504 wrote to memory of 1876	1504	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a2409969f1bfa669f1d339c8ac9fa1f_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\25757.bat" "C:\Users\Admin\AppData\Local\Temp\0AC6251A0207483586FD2310A54C022B\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0AC6251A0207483586FD2310A54C022B\0AC6251A0207483586FD2310A54C022B_LogFile.txt

Filesize
2KB

MD5
32a3203afc8bbe810a86bdc23c44d2b3

SHA1
4075440a6f163b282c11806c368739a2c77804ef

SHA256
3b0c0b18338669dcc9f77eedc11af30cb8f0f573a9fdb510e3f75cca174553fd

SHA512
4982d197d193386ea0515ee032d503cc2caf2247f6467a91b3f201305fb46ab23c86e6df72fca77f0d9499a8033872a88707b2719eb54842bf6fe962b3b01c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AC6251A0207483586FD2310A54C022B\0AC6251A0207483586FD2310A54C022B_LogFile.txt

Filesize
10KB

MD5
bb9a3b8c666327e06ac23c37afd3c09d

SHA1
14a810b83dde0e51bbe65ca5c900176dc56fbdea

SHA256
04d712c5624704313e4105d047f1ce5354715d3d7a6489ef9174ab06c0958ba9

SHA512
925e022084c59ac5c0f508668e79b1ef22c3d8d592a388f87e8f0c77caf2c9d5c421d8927d371d3d84ab0733f36344d13513efb90206739abe26bbf49de437b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0AC6251A0207483586FD2310A54C022B\0AC625~1.TXT

Filesize
101KB

MD5
6d367c16db8caf4b7e14714f62ccf8b2

SHA1
75bc170b97888923073243ec2195379dd9b30f78

SHA256
500e1ac7ad45da2fb1b1cb2b8a7883647fef8584922d023d610c2393da556523

SHA512
df639385ff8555feca7bea622a69dba09e1ad0b31b32c9ab0e59fa9d6aa59219fa03a4158b4e335d4949b4c6cbc7971ae5acaa5b26e22d471069fb9e31e998e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\25757.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
memory/2068-63-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2068-176-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download