812c0ef157c5d6a2560f3fb7ec60067dd19bbbf87dd811cf6a1d8a4afb223389

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe
Size

1.6MB
MD5

6bde4c70d6c9fa329fc1c4d4ac753d30
SHA1

99cf1a2681ac37418acf61d9871a3a6b1ff1a11a
SHA256

812c0ef157c5d6a2560f3fb7ec60067dd19bbbf87dd811cf6a1d8a4afb223389
SHA512

57c1863b708c4d7dd1838a9fb1042217ba44e74257f984de3190f5223e08416573f5921044beb3c0bc117e581f665cb73c5c03bf68a4ba7b8dcb6940c9fc6f13
SSDEEP

49152:jZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9R:jGIjR1Oh0T1

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1732 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe

pid process

2240 6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe

pid	process
1732	PING.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe

pid	process
2240	6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe
2240	6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe
2240	6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2240 wrote to memory of 2068	2240	6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 2068	2240	6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 2068	2240	6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 2068	2240	6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe	cmd.exe
PID 2068 wrote to memory of 1732	2068	cmd.exe	PING.EXE
PID 2068 wrote to memory of 1732	2068	cmd.exe	PING.EXE
PID 2068 wrote to memory of 1732	2068	cmd.exe	PING.EXE
PID 2068 wrote to memory of 1732	2068	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bde4c70d6c9fa329fc1c4d4ac753d30_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\4918.bat" "C:\Users\Admin\AppData\Local\Temp\54BA7B891FAB4F3687E55630B8C3ADCC\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4918.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\54BA7B891FAB4F3687E55630B8C3ADCC\54BA7B891FAB4F3687E55630B8C3ADCC_LogFile.txt

Filesize
2KB

MD5
ff800dffdac815c3e5c201038352357d

SHA1
5bc323c4fe47cb6fc68a9f53f9fc6f60e9a03f39

SHA256
0f819bf9500a3b859ab143602e6251081e4bcb8095bb383e3218b65d4b433686

SHA512
c680bf70ff024914c5b046c1af882a8274398903efca16ad2d6c82cc1de4c55a8f14d0ea8b0418fb238af4ba5d84268bd2c2e886e5b5ba8fcc67d36d4e835605

Download Submit
C:\Users\Admin\AppData\Local\Temp\54BA7B891FAB4F3687E55630B8C3ADCC\54BA7B891FAB4F3687E55630B8C3ADCC_LogFile.txt

Filesize
10KB

MD5
28d78446ea24ed311e70ac35aa10c913

SHA1
336976c37526145f47e5d431753db84efff41186

SHA256
7d93ce00749dc390a287bb28b3a37384fa9cece0b5acebba6443cebde606bd41

SHA512
c4ada3a48e041633c2168bf7358473d2a5055ad141f5cc7f52afb53e4242165de387225ec6f09692b81678df869daf9521bf41b01c258fc5fa14bd9b7eb0a24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\54BA7B891FAB4F3687E55630B8C3ADCC\54BA7B~1.TXT

Filesize
106KB

MD5
46614813811d76f329293441ae28e26a

SHA1
fbd8706048e4eba0b80b3e3a126f542852461e23

SHA256
deae1595be5481d5a05d6fd20c1a396ab59522fb5b4085eb6a94b66ff056957e

SHA512
966fb5302871bf4e9f1bd03a669d10678556dd74c3648dbd25201d25777f242a87ff84c27f36954aafb338dd5226069ea2a87665796ae5ae3a03276d9f5a506d

Download Submit
memory/2240-63-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2240-106-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download