30e07e1ffb8283f4c30c9bd643e759cf8246bee8e3bfa4de8ea30beac532a68d

Analysis

max time kernel
144s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 14:52

Target

41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe
Size

113KB
MD5

41e52017f48ae7c7dee7a4cf08b71352
SHA1

bfef133c259c4b660a9d0966a0d77707ba5b18d5
SHA256

30e07e1ffb8283f4c30c9bd643e759cf8246bee8e3bfa4de8ea30beac532a68d
SHA512

2f28054d6c4f91150f5d63659014c84981cf409e7135303697fb83c25c509078dd4b1c6adb835ef7fe4b91d95069e9300ba4877390ceaeb15e7827e5e3e47ccc
SSDEEP

3072:EwJ52Y7ZoH5XJaGWee+VzFnwast+j8g7lckSl:EwHysdV+VzJJ+kSl

Score

7^/10

Loads dropped DLL 3 IoCs

pid	Process
4308	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe
4308	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe
4308	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4308 set thread context of 3828	4308	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3828	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe
3828	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe
3828	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe
3828	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe
3828	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe
3828	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe
3828	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe
3828	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 3828	4308	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe	86
PID 4308 wrote to memory of 3828	4308	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe	86
PID 4308 wrote to memory of 3828	4308	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe	86
PID 4308 wrote to memory of 3828	4308	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe	86
PID 4308 wrote to memory of 3828	4308	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe	86
PID 4308 wrote to memory of 3828	4308	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe	86
PID 4308 wrote to memory of 3828	4308	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe	86
PID 4308 wrote to memory of 3828	4308	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe	86
PID 4308 wrote to memory of 3828	4308	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe	86
PID 4308 wrote to memory of 3828	4308	41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Admin\AppData\Local\Temp\41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\41e52017f48ae7c7dee7a4cf08b71352_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3828

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\nsl5526.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\upholder.dll

Filesize
52KB

MD5
de0f2c4a5b7c7974f19f48b08b3d55d7

SHA1
fb4eea0fa23f0dffa17a141dd9a66e919a79d6c4

SHA256
ae257e13507e2980446867e3b5cfb9a5c57c2d09c24079d59667938e82c204b7

SHA512
812ad695df0188565f31e3db646ac7a41db41320bc3b03ea504dba8f027018661cc9fd47a38833df28e3db1bcfa45cf2b244c9231bf6bca6f01ddd81ff578c6e

Download Submit
memory/3828-13-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3828-15-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3828-16-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3828-17-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/3828-22-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download