83643f6f03a61471c548172eea1aeaaf6aecd75d9604424c2c7bcdd491a9e04b

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe
Size

1.3MB
MD5

724c4e4983e766968e9aab850af1c889
SHA1

6b8288b41b454fb8163f8c2cfde6526379c4182e
SHA256

83643f6f03a61471c548172eea1aeaaf6aecd75d9604424c2c7bcdd491a9e04b
SHA512

5fc6b7dc2105e1a208eac2fd9cb777f22d694900e098ee56a8029a9ff418d8035da9ad883d83391be164b51af5b12c1b5b987ad4ffb4002fc2c268abc58b43e7
SSDEEP

24576:GzAreSwJO3Jn4VlFx6edsS0s6gZ4PcLEXVSRzvxtGsiQhG+XdA4N5A:GzArnZJnULsq5uVSRzJ0064c

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

wscript.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url	wscript.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe

pid	Process
2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe
2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe
2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe
2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe
2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe
2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe
2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe
2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe
2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe
2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe
2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe
2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

724c4e4983e766968e9aab850af1c889_JaffaCakes118.execmd.exe

description	pid	Process	procid_target
PID 2760 wrote to memory of 2696	2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2696	2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2696	2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2696	2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe	31
PID 2696 wrote to memory of 3012	2696	cmd.exe	33
PID 2696 wrote to memory of 3012	2696	cmd.exe	33
PID 2696 wrote to memory of 3012	2696	cmd.exe	33
PID 2696 wrote to memory of 3012	2696	cmd.exe	33
PID 2760 wrote to memory of 1856	2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe	34
PID 2760 wrote to memory of 1856	2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe	34
PID 2760 wrote to memory of 1856	2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe	34
PID 2760 wrote to memory of 1856	2760	724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\724c4e4983e766968e9aab850af1c889_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\wscript.exe
    WScript "C:\ProgramData\GCxcrhlcfj\r.vbs"
    3⤵
    - Drops startup file
    PID:3012
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\ProgramData\GCxcrhlcfj\cfgi"
  2⤵
  PID:1856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GCxcrhlcfj\r.vbs

Filesize
662B

MD5
7cc317139a7d477bc8c5faf0fafed491

SHA1
3966c44cf9988e6cc6af135eac5b7ab93d2c4058

SHA256
c065f76aad68eedaf001ec5142e7bcaaba73916b3903037cc46a54eb67be77a8

SHA512
5e8f3bc963c690f4000349589fe11f08b4efadff7b8d56a9634692ec4fbbbce4330935ee3afbd8542e3c770f68cab4b9949ea7f06c9996e040b42969a7fb7fd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EJMbfDcdzM.url

Filesize
74B

MD5
059ec62ae3c51a6ff8d0f02363e108e9

SHA1
24742ba20d3323718b0ee51c9efe166825b314a5

SHA256
117b0440b143c36cbe18a6b01f7f0c483a0a67a10600140e545d0c3c61634ac8

SHA512
62dafb2db57840cd0d0886dbe92af3a82f7f82902118a985e6baf81f3f3bc5dc5076d28c3a3ae601a83e7c2c9ee845c030752f36b02f586828bc427284989664

Download Submit
memory/2760-0-0x0000000000580000-0x0000000000686000-memory.dmp

Filesize
1.0MB

Download
memory/2760-1-0x0000000000580000-0x0000000000686000-memory.dmp

Filesize
1.0MB

Download
memory/2760-2-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2760-3-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2760-4-0x0000000000580000-0x0000000000686000-memory.dmp

Filesize
1.0MB

Download
memory/2760-6-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2760-23-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2760-22-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download