16e5a758f95677cf94a64be3ac8c4f445a1d0b24238f62f157d08f395bf6d2ff

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68f27c9ab94cc5e8b4e4791a77483b92_JaffaCakes118.exe
Size

221KB
MD5

68f27c9ab94cc5e8b4e4791a77483b92
SHA1

7d87f8057b7395f0ebae5bb0a6195590a75d996f
SHA256

16e5a758f95677cf94a64be3ac8c4f445a1d0b24238f62f157d08f395bf6d2ff
SHA512

0cc2ed0826d9e78f514143b78d725d981b9597b65c0f809108e147e808f1a3748c06d3197db10ec0dccc5d53c6b3c09fff502a47d91fe892a29f008b0538fc8f
SSDEEP

6144:YvJbcJTI7keZP00gL0D4lexuNp4dhxQ5Drh9okobQ:YvKJc7k5JcLuNp4dDI/h9okobQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ins5481.exe

pid process

3044 ins5481.exe

pid	process
3044	ins5481.exe

Loads dropped DLL 4 IoCs

Processes:

68f27c9ab94cc5e8b4e4791a77483b92_JaffaCakes118.exe

pid	process
1768	68f27c9ab94cc5e8b4e4791a77483b92_JaffaCakes118.exe
1768	68f27c9ab94cc5e8b4e4791a77483b92_JaffaCakes118.exe
1768	68f27c9ab94cc5e8b4e4791a77483b92_JaffaCakes118.exe
1768	68f27c9ab94cc5e8b4e4791a77483b92_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ins5481.exe

pid process

3044 ins5481.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ins5481.exe

description pid process

Token: SeDebugPrivilege 3044 ins5481.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ins5481.exe

pid process

3044 ins5481.exe
3044 ins5481.exe

pid	process
3044	ins5481.exe

description	pid	process
Token: SeDebugPrivilege	3044	ins5481.exe

pid	process
3044	ins5481.exe
3044	ins5481.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

68f27c9ab94cc5e8b4e4791a77483b92_JaffaCakes118.exe

description	pid	process	target process
PID 1768 wrote to memory of 3044	1768	68f27c9ab94cc5e8b4e4791a77483b92_JaffaCakes118.exe	ins5481.exe
PID 1768 wrote to memory of 3044	1768	68f27c9ab94cc5e8b4e4791a77483b92_JaffaCakes118.exe	ins5481.exe
PID 1768 wrote to memory of 3044	1768	68f27c9ab94cc5e8b4e4791a77483b92_JaffaCakes118.exe	ins5481.exe
PID 1768 wrote to memory of 3044	1768	68f27c9ab94cc5e8b4e4791a77483b92_JaffaCakes118.exe	ins5481.exe

C:\Users\Admin\AppData\Local\Temp\68f27c9ab94cc5e8b4e4791a77483b92_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68f27c9ab94cc5e8b4e4791a77483b92_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\n5481\ins5481.exe
"C:\Users\Admin\AppData\Local\Temp\n5481\ins5481.exe" ins.exe /t52e44d3dcdc63 /e12236294 /u17dced38-7f70-11e3-8a58-80c16e6f498c
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\n5481\ins5481.exe

Filesize
200KB

MD5
574a729a6d22be01601db50e4fc06908

SHA1
f9cb9978ee5aff0a7c2f2d6b7e8221f053c4d2a0

SHA256
a837cfc315a0076627b9e58c226831222416999720434498f10715b019ebbea2

SHA512
7152a713b0d52ad774c9dc8d47e80ce3847f58ace8f57c63f93394874863f673e4e73eed47b7debc5628098a8626ff6d0318f302281e6ddcca1f7f58ef3c497d

Download Submit
memory/1768-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1768-20-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3044-15-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

Filesize
4KB

Download
memory/3044-16-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/3044-17-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/3044-18-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/3044-19-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download