2264c1226978c5f1f4a5d731f2cf4180ebfdece38f01a069917dcf3452e94e04

Analysis

max time kernel
122s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ea9e5a1ff0d1348a10edec09f010a55_JaffaCakes118.exe
Size

305KB
MD5

3ea9e5a1ff0d1348a10edec09f010a55
SHA1

2ff1684685bdec1402fed8d700e51b5be6d7b12a
SHA256

2264c1226978c5f1f4a5d731f2cf4180ebfdece38f01a069917dcf3452e94e04
SHA512

35114aa4675e9cb73cc831097747a8c67c5618fa1e1275d7da962410cf36c6de40573e345a120962ab8ef778092c0b35725abd83529e94fca1cec1f34e70eb60
SSDEEP

6144:Irkx9uEo2S1YnQmCX492DkwNP3qpYFkXdlP5IO5/OoCVHuy6SHZ86riVZkiizB:IrkHu6/eIo4RXdrIO5/OpVHd6Ky6rizY

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2316	3ea9e5a1ff0d1348a10edec09f010a55_JaffaCakes118.exe
2316	3ea9e5a1ff0d1348a10edec09f010a55_JaffaCakes118.exe
2316	3ea9e5a1ff0d1348a10edec09f010a55_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	3ea9e5a1ff0d1348a10edec09f010a55_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	3ea9e5a1ff0d1348a10edec09f010a55_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2316	3ea9e5a1ff0d1348a10edec09f010a55_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2316	3ea9e5a1ff0d1348a10edec09f010a55_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3ea9e5a1ff0d1348a10edec09f010a55_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ea9e5a1ff0d1348a10edec09f010a55_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Tsu0D31940C.dll

Filesize
269KB

MD5
af7ce801c8471c5cd19b366333c153c4

SHA1
4267749d020a362edbd25434ad65f98b073581f1

SHA256
cf7e00ba429bc9f27ccfacc49ae367054f40ada6cede9f513cc29a24e88bf49e

SHA512
88655bd940e9b540c4df551fe68135793eceed03f94389b0654637a18b252bf4d3ef73b0c49548b5fa6ba2cf6d9aff79335c4ebcc0b668e008bcc62c40d2a73c

Download Submit
\Users\Admin\AppData\Local\Temp\{9DBAF4F7-1F22-4C06-AEED-57004659D601}\Custom.dll

Filesize
73KB

MD5
e8d86c771d7e23b080921b9803f1654c

SHA1
49d8ef6835a6de734ead4e0b2cbbc65735cd5c17

SHA256
cc7a340bffc39d8d8f704314f0383404590438b8cd16e780e0a26723bceedd21

SHA512
b9902e0112bbf053ec4e3aa633ac2f2dd938b23507ff58ed69ac580656e42874c4b0ccb0d393b26637ae2b98feee78023d62378adb99140736e314de74fb399b

Download Submit
\Users\Admin\AppData\Local\Temp\{9DBAF4F7-1F22-4C06-AEED-57004659D601}\_Setup.dll

Filesize
167KB

MD5
262cc5a5e5a007ae182c45e41ac35adf

SHA1
999582209e73d92d0040b8092666087aac2cee90

SHA256
ecc186e0284593db51463f104ba8486b1de656d47a290d27c6fea157cb1495bd

SHA512
2f59e23646774c3e5034d464242ac128cfb3ced1a0498dd0f719308b5854fbba20d457127e01b414f12b63d8bc3baf7ffcf89d91300ca43b90ed6cc933e4bd5b

Download Submit