Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 15:11

General

  • Target

    8129f5c2ea12bcdb5692e51836a42e04_JaffaCakes118.exe

  • Size

    186KB

  • MD5

    8129f5c2ea12bcdb5692e51836a42e04

  • SHA1

    3786c64ddaba900425149737008311d61bc15498

  • SHA256

    fcb24a9cb3150900c86e239ddf537543f7a3e92d01da38f6ffd4106aecd7e29d

  • SHA512

    40eb6b8924ab396376d36dc7c8c0d09a0f6e3bb56b548020ec9f9490e27db88d9da7cbe20f8e69ef105b80948807300feb069692751934da6bc4d10b7a2369d8

  • SSDEEP

    3072:TQ/lV7kaoeogcqYeDHw30wi857goKkqglu09NPD5yLGVkaYG51eE3jEzS+NMmDbe:+3YYV07goKjgp9DUW71euYfdf/VGWOT5

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8129f5c2ea12bcdb5692e51836a42e04_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8129f5c2ea12bcdb5692e51836a42e04_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\4481.vbs"
      2⤵
      • Deletes itself
      PID:2356
  • C:\Windows\SysWOW64\kkaaya.exe
    C:\Windows\SysWOW64\kkaaya.exe
    1⤵
    • Executes dropped EXE
    PID:2232

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\4481.vbs

          Filesize

          500B

          MD5

          94886278d0f286b4386d17fd4a380edc

          SHA1

          36fb8ccc12c010cc9ddbeacef91b1b5fc3f92f40

          SHA256

          3f2ac0f1ff88f7e493c78edc7d4090b248177c0643ee92c128e2160642ede786

          SHA512

          ac87d89a1ce72236bebe791c5af9f03e2775ca38e894bffc43a4bd10fa06f0d2f11d5d062757039d2708689c6903d3b8cb272e7990469428cf07a67504b4f031

        • C:\Windows\SysWOW64\kkaaya.exe

          Filesize

          186KB

          MD5

          8129f5c2ea12bcdb5692e51836a42e04

          SHA1

          3786c64ddaba900425149737008311d61bc15498

          SHA256

          fcb24a9cb3150900c86e239ddf537543f7a3e92d01da38f6ffd4106aecd7e29d

          SHA512

          40eb6b8924ab396376d36dc7c8c0d09a0f6e3bb56b548020ec9f9490e27db88d9da7cbe20f8e69ef105b80948807300feb069692751934da6bc4d10b7a2369d8