ebe0f904585eb722dc2348810396a2ec3dcf1eb9365a018ac73a6b966be92433

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 06:54

Target

8358e7a4d61ea6c850e19e1485e15460_JaffaCakes118.exe
Size

44KB
MD5

8358e7a4d61ea6c850e19e1485e15460
SHA1

7fe213d5dcc101a5b9e98833a1ab565b2d06a127
SHA256

ebe0f904585eb722dc2348810396a2ec3dcf1eb9365a018ac73a6b966be92433
SHA512

b3d11f4feb31955e354add47c1d32012ed6d0fc301c447464ebbb800bddf83b9f2edf0da4e5c50a1265e2abd44779ca0b5550158e591faeba538ad1c7dd22bd8
SSDEEP

768:CtZe37wRNBDHW0WpBa5HoqX6pslKRjkBe+wkJMQp2wd3/+H:C8wRNVKBaZDKpslKRjByB+H

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2344	ctfmon.exe

Loads dropped DLL 1 IoCs

pid	Process
2868	8358e7a4d61ea6c850e19e1485e15460_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ctfmon.exe	8358e7a4d61ea6c850e19e1485e15460_JaffaCakes118.exe
File opened for modification	C:\Windows\ctfmon.exe	8358e7a4d61ea6c850e19e1485e15460_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2868	8358e7a4d61ea6c850e19e1485e15460_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2344	2868	8358e7a4d61ea6c850e19e1485e15460_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2344	2868	8358e7a4d61ea6c850e19e1485e15460_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2344	2868	8358e7a4d61ea6c850e19e1485e15460_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2344	2868	8358e7a4d61ea6c850e19e1485e15460_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\8358e7a4d61ea6c850e19e1485e15460_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8358e7a4d61ea6c850e19e1485e15460_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\ctfmon.exe
  "C:\Windows\ctfmon.exe"
  2⤵
  - Executes dropped EXE
  PID:2344

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\ctfmon.exe

Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
\Users\Admin\AppData\Local\Temp\259403563j10.dll

Filesize
25KB

MD5
b70c0d124b3b48abf7e85364a332ff84

SHA1
28a6e32fe476c49927950fb48e5aa8f966bb1404

SHA256
0f1f1c4e9b2c669d34e97a08cef587882bb1894eb58910b57cfd0883d90bb25a

SHA512
3ec6dc29510aff7ce89274ecb1a661f07f05f580ef52407878ad1847fbfdfce1783acd2ef2009b655820640cc45c7dff421720c21da645469bdcc23ccb9030a0

Download Submit