78ef9f72cdb8f5970da07b1329b8f173072391475a5115d3e6c30af6a7054686

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f0ea32bd6f05ecc50e71cb6385aade1_JaffaCakes118.exe
Size

2.9MB
MD5

4f0ea32bd6f05ecc50e71cb6385aade1
SHA1

68c908194bcc013670f4a2029e4aa79bf80d9b76
SHA256

78ef9f72cdb8f5970da07b1329b8f173072391475a5115d3e6c30af6a7054686
SHA512

24284266a6a7b939d865b921babd568f60ab3307832deded92d04408d397aacbade91c41de6597d126d623039038e1ca7cbdc2a86b7aeb3687f9d5f4be758f91
SSDEEP

49152:++fqoMknc8OBxMFZJxH/j7kQK9EFYfotOVAR/n/c7lphbjOWzZVckfB:++fffOILJxj7kbdAp/cZrjOWzZVck5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4848	sexys106.exe_tmp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Mariah Carey Sex-E Screensaver Uninstaller.exe	4f0ea32bd6f05ecc50e71cb6385aade1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 4848	1384	4f0ea32bd6f05ecc50e71cb6385aade1_JaffaCakes118.exe	85
PID 1384 wrote to memory of 4848	1384	4f0ea32bd6f05ecc50e71cb6385aade1_JaffaCakes118.exe	85
PID 1384 wrote to memory of 4848	1384	4f0ea32bd6f05ecc50e71cb6385aade1_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\4f0ea32bd6f05ecc50e71cb6385aade1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4f0ea32bd6f05ecc50e71cb6385aade1_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\inst240595187\installer\sexys106.exe_tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\inst240595187\installer\sexys106.exe_tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\inst240595187\installer\sexys106.exe_tmp.exe

Filesize
2.8MB

MD5
b0d5d68b25293e5058c070dcc5b782f1

SHA1
e0d41415def35579888f037fe0d5da4b350d0d03

SHA256
fffc8d0c5d7f441f4b8320a45d1b540443bf3980bcbeb4dd4e08cfb1b6848882

SHA512
9d6b1a244dfa501be2423383157b5dd8487ac6fe4570c5fdc5145ac549234d95623a6f4e6fe1acdc25b5b53d209929240f6693af43720f542661de1b139c432e

Download Submit