dd6d275f30569f4c32a158dc30ff362eb79647c89f90581093a317cab4cdd61e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe
Size

1.6MB
MD5

688fc52ad8e156a245cd8e62b78e4560
SHA1

a302cc0ef3461fc15915d0d79bfa2abfb99bc117
SHA256

dd6d275f30569f4c32a158dc30ff362eb79647c89f90581093a317cab4cdd61e
SHA512

0d80d8768ec26c0f476202b7ea643054e5c2c1de587de5d11b3b57e688975980684c8dc2a568edcdf90543aed7d7f569324ac9b4505bcabb047a9402f5e5bba1
SSDEEP

49152:LJwukiAFOrk6TXh1/7xUOLRTlpS+JOiwKTH9f:LO6Tx1DL4Nw

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

912 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe

pid process

2780 688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe

pid	process
912	PING.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe

pid	process
2780	688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe
2780	688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe
2780	688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2780 wrote to memory of 2072	2780	688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe	cmd.exe
PID 2780 wrote to memory of 2072	2780	688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe	cmd.exe
PID 2780 wrote to memory of 2072	2780	688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe	cmd.exe
PID 2780 wrote to memory of 2072	2780	688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe	cmd.exe
PID 2072 wrote to memory of 912	2072	cmd.exe	PING.EXE
PID 2072 wrote to memory of 912	2072	cmd.exe	PING.EXE
PID 2072 wrote to memory of 912	2072	cmd.exe	PING.EXE
PID 2072 wrote to memory of 912	2072	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\688fc52ad8e156a245cd8e62b78e4560_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\22493.bat" "C:\Users\Admin\AppData\Local\Temp\51844B3BA73249DF93867AC43AE3CAD3\""
2⤵
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
3⤵
- Runs ping.exe
PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22493.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\51844B3BA73249DF93867AC43AE3CAD3\51844B3BA73249DF93867AC43AE3CAD3_LogFile.txt

Filesize
10KB

MD5
6973e3e8d20e6edc6edce4d96661366d

SHA1
f4247e3eb6eeb20ca084ce9b702649b521fbf717

SHA256
4988b62052e8716740532bdd3ad7125f52347b2a7d18562f1290aa622ffb5f7a

SHA512
47e335a78c709b31c87f493e9972dcb7be661aebd9256695f1fdeb8e5ce89cf04a4fab4b897fd689127dc2b9a4059794eccbef8eb89d21afb0021e2c68b0c285

Download Submit
C:\Users\Admin\AppData\Local\Temp\51844B3BA73249DF93867AC43AE3CAD3\51844B~1.TXT

Filesize
99KB

MD5
807f9099be4146fcce439413b06745e2

SHA1
84d68413320608f08b55cad901fbe4ce5800159d

SHA256
c1627ada9efc4e4e467e1a3446b81adaafe084438fad80c0c7f5818e3e24db08

SHA512
6387159a8eb7968f1bd8e465923b1fd883eecfa9d37b54dcf66b5ca50de4c4cf7a329eb1210fd9256a5d40ff45f845246f353656cf13508cfbcb1e9349e2fcb6

Download Submit
memory/2780-63-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2780-136-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download