20dec98c8003e986251cc8a765a931783203ec75eae436e9df2248a465321e53

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
Size

104KB
MD5

5490b40342e869fb0b621a9c4b2e0a11
SHA1

6eec66c6741f91044cb98427668f5053c8333935
SHA256

20dec98c8003e986251cc8a765a931783203ec75eae436e9df2248a465321e53
SHA512

60c228e1a2e2a815097875bb4348d544d5a5811627536df7b7bb4a911614cceb19f60c0a653caff10e22ca808f5f31291d18c4d90a6b384a6d65d549de5d1760
SSDEEP

3072:OYcqg5+ubStuLf4baKqEliMvS7mBNOL8hY:OZ+84xbO7MvSSBNO

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exesoundscookies.exesoundscookies.exe

pid	process
32	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
32	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
3188	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
3188	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
2920	soundscookies.exe
2920	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe
4708	soundscookies.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe

pid process

3188 5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe

pid	process
3188	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exesoundscookies.exe

description	pid	process	target process
PID 32 wrote to memory of 3188	32	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
PID 32 wrote to memory of 3188	32	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
PID 32 wrote to memory of 3188	32	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe	5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
PID 2920 wrote to memory of 4708	2920	soundscookies.exe	soundscookies.exe
PID 2920 wrote to memory of 4708	2920	soundscookies.exe	soundscookies.exe
PID 2920 wrote to memory of 4708	2920	soundscookies.exe	soundscookies.exe

C:\Users\Admin\AppData\Local\Temp\5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:32

C:\Users\Admin\AppData\Local\Temp\5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5490b40342e869fb0b621a9c4b2e0a11_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:3188

C:\Windows\SysWOW64\soundscookies.exe
"C:\Windows\SysWOW64\soundscookies.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\soundscookies.exe
"C:\Windows\SysWOW64\soundscookies.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/32-14-0x00000000005F0000-0x0000000000607000-memory.dmp

Filesize
92KB

Download
memory/32-5-0x0000000000610000-0x0000000000627000-memory.dmp

Filesize
92KB

Download
memory/32-1-0x0000000000610000-0x0000000000627000-memory.dmp

Filesize
92KB

Download
memory/32-6-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download
memory/32-0-0x00000000005F0000-0x0000000000607000-memory.dmp

Filesize
92KB

Download
memory/2920-29-0x00000000004C0000-0x00000000004D7000-memory.dmp

Filesize
92KB

Download
memory/2920-20-0x00000000004C0000-0x00000000004D7000-memory.dmp

Filesize
92KB

Download
memory/2920-21-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2920-19-0x00000000008D0000-0x00000000008E7000-memory.dmp

Filesize
92KB

Download
memory/2920-15-0x00000000008D0000-0x00000000008E7000-memory.dmp

Filesize
92KB

Download
memory/3188-7-0x0000000000610000-0x0000000000627000-memory.dmp

Filesize
92KB

Download
memory/3188-12-0x00000000005F0000-0x0000000000607000-memory.dmp

Filesize
92KB

Download
memory/3188-13-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/3188-11-0x0000000000610000-0x0000000000627000-memory.dmp

Filesize
92KB

Download
memory/3188-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3188-31-0x00000000005F0000-0x0000000000607000-memory.dmp

Filesize
92KB

Download
memory/4708-22-0x00000000008C0000-0x00000000008D7000-memory.dmp

Filesize
92KB

Download
memory/4708-26-0x00000000008C0000-0x00000000008D7000-memory.dmp

Filesize
92KB

Download
memory/4708-28-0x00000000008E0000-0x00000000008F0000-memory.dmp

Filesize
64KB

Download
memory/4708-27-0x00000000004D0000-0x00000000004E7000-memory.dmp

Filesize
92KB

Download
memory/4708-32-0x00000000004D0000-0x00000000004E7000-memory.dmp

Filesize
92KB

Download