027116f7f505e23e824004905c005346c3147a8de8b62dd6ec2b359b9822bbdc

Analysis

max time kernel
143s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 02:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5ccc23743ddd0d0d6b7a3485eac71038_JaffaCakes118.exe
Size

102KB
MD5

5ccc23743ddd0d0d6b7a3485eac71038
SHA1

03e0a1f0c1b512e981b33c1312aafc40d2ce00fe
SHA256

027116f7f505e23e824004905c005346c3147a8de8b62dd6ec2b359b9822bbdc
SHA512

eef7de5322385b7e02b0c5835e13d9b9d4d04b8464d016c84d15a16aca5d71f27f0b57400e8fd13066acadc2f491876e7a63af5b97b118d2a1981b58e2cda6b5
SSDEEP

3072:YmufQ1ZGYk3N1O4b6FjrjEgSjxNC2y54vB0:xlqP1O4b0P0lB0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2452	csrss.exe
2804	csrss.exe
2700	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2364	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2832	5ccc23743ddd0d0d6b7a3485eac71038_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2364	2832	5ccc23743ddd0d0d6b7a3485eac71038_JaffaCakes118.exe	28
PID 2832 wrote to memory of 2364	2832	5ccc23743ddd0d0d6b7a3485eac71038_JaffaCakes118.exe	28
PID 2832 wrote to memory of 2364	2832	5ccc23743ddd0d0d6b7a3485eac71038_JaffaCakes118.exe	28
PID 2832 wrote to memory of 2364	2832	5ccc23743ddd0d0d6b7a3485eac71038_JaffaCakes118.exe	28
PID 2852 wrote to memory of 2452	2852	taskeng.exe	31
PID 2852 wrote to memory of 2452	2852	taskeng.exe	31
PID 2852 wrote to memory of 2452	2852	taskeng.exe	31
PID 2852 wrote to memory of 2452	2852	taskeng.exe	31
PID 2852 wrote to memory of 2804	2852	taskeng.exe	34
PID 2852 wrote to memory of 2804	2852	taskeng.exe	34
PID 2852 wrote to memory of 2804	2852	taskeng.exe	34
PID 2852 wrote to memory of 2804	2852	taskeng.exe	34
PID 2852 wrote to memory of 2700	2852	taskeng.exe	35
PID 2852 wrote to memory of 2700	2852	taskeng.exe	35
PID 2852 wrote to memory of 2700	2852	taskeng.exe	35
PID 2852 wrote to memory of 2700	2852	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\5ccc23743ddd0d0d6b7a3485eac71038_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ccc23743ddd0d0d6b7a3485eac71038_JaffaCakes118.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc minute /tn "Microsoft LocalManager [500604919]" /f /tr "C:\ProgramData\{15735305-1573-1573-157353059938}\csrss.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2364

C:\Windows\system32\taskeng.exe
taskeng.exe {E33342F2-7DA0-4596-8D37-4E98F4DB407B} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2852
- C:\ProgramData\{15735305-1573-1573-157353059938}\csrss.exe
  C:\ProgramData\{15735305-1573-1573-157353059938}\csrss.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\ProgramData\{15735305-1573-1573-157353059938}\csrss.exe
  C:\ProgramData\{15735305-1573-1573-157353059938}\csrss.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\ProgramData\{15735305-1573-1573-157353059938}\csrss.exe
  C:\ProgramData\{15735305-1573-1573-157353059938}\csrss.exe
  2⤵
  - Executes dropped EXE
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{15735305-1573-1573-157353059938}\csrss.exe

Filesize
102KB

MD5
5ccc23743ddd0d0d6b7a3485eac71038

SHA1
03e0a1f0c1b512e981b33c1312aafc40d2ce00fe

SHA256
027116f7f505e23e824004905c005346c3147a8de8b62dd6ec2b359b9822bbdc

SHA512
eef7de5322385b7e02b0c5835e13d9b9d4d04b8464d016c84d15a16aca5d71f27f0b57400e8fd13066acadc2f491876e7a63af5b97b118d2a1981b58e2cda6b5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads