056fe321c32c0dd98babdf16303ee3decccde11fcf8d7444445ddcba1ca05c92

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7338ecc3b235c3c92de9584ccf26e947_JaffaCakes118.exe
Size

257KB
MD5

7338ecc3b235c3c92de9584ccf26e947
SHA1

445e361a0cdc10c8256c05575451ae1e9ce9c655
SHA256

056fe321c32c0dd98babdf16303ee3decccde11fcf8d7444445ddcba1ca05c92
SHA512

b5d373c97c8e8a305f98f3d54b798b6c14a3c1cc7eeac9611501ca1b89fc2d657adf7c32508bd1a57f93d88836c2d84afc0c69298759a6e02d6503f132b1eea1
SSDEEP

3072:W3tpk0dCvZITety9kqAZETZsd3qTGhMuIj2h+tgz1tRpkNphVGXCPfTpEgdHPHTn:WPk084etyiJU6ayhTz+Czsh9Tp9lPHTn

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2652	Supportive Pack.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	7338ecc3b235c3c92de9584ccf26e947_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	7338ecc3b235c3c92de9584ccf26e947_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\NANDSave.job	7338ecc3b235c3c92de9584ccf26e947_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\7338ecc3b235c3c92de9584ccf26e947_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7338ecc3b235c3c92de9584ccf26e947_JaffaCakes118.exe"
1⤵
- Maps connected drives based on registry
- Drops file in Windows directory
PID:2900

C:\Users\Admin\AppData\Roaming\Supportive Pack\Supportive Pack.exe
"C:\Users\Admin\AppData\Roaming\Supportive Pack\Supportive Pack.exe"
1⤵
- Executes dropped EXE
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Supportive Pack\Supportive Pack.exe

Filesize
64KB

MD5
37f6aa5aff16ab6c053d7df777ac0801

SHA1
6368e6de7e65ab84f8e4e0b7a6ca7ae19f56a437

SHA256
4feed799600361f4bf3e566f25d725372af1843e9bfc49beb102fc0b631522b4

SHA512
5774db7168bbd52b997700dfafc895fa8a2035aefbd8416e7fd10e0e1bbb6a6f6b44ca03fe1e309bc4f406e7e67990bfa9b1ad42713248c1b74be8215179ae06

Download Submit
memory/2900-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2900-1-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2900-4-0x0000000000540000-0x0000000000569000-memory.dmp

Filesize
164KB

Download
memory/2900-3-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2900-2-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2900-5-0x0000000000580000-0x00000000005AF000-memory.dmp

Filesize
188KB

Download
memory/2900-9-0x0000000000540000-0x0000000000569000-memory.dmp

Filesize
164KB

Download
memory/2900-16-0x0000000000540000-0x0000000000569000-memory.dmp

Filesize
164KB

Download
memory/2900-12-0x00000000005C0000-0x00000000005E7000-memory.dmp

Filesize
156KB

Download
memory/2900-25-0x0000000000540000-0x0000000000569000-memory.dmp

Filesize
164KB

Download
memory/2900-28-0x0000000000540000-0x0000000000569000-memory.dmp

Filesize
164KB

Download