9f053aa3f8d05fc766e8c9b54d289dc7fab7a468d5e0d5491ce8da74f43aa39f

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe
Size

762KB
MD5

886dcb03bf8bb33f772b4eb25f226781
SHA1

30329b3981e49472a4c7f2ac58e40bd142bffa21
SHA256

9f053aa3f8d05fc766e8c9b54d289dc7fab7a468d5e0d5491ce8da74f43aa39f
SHA512

3546a790b826ebb1e7878066a3257557d1c25850897e1e72abb92cfa8aaee216803e9d9c4b7e52637683060e6e88ad0e3967e4bf69f91c8b89093a5118125431
SSDEEP

12288:XtobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnw:XtDltItNW7pjDlpt5XY/2TkXKza/29sf

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3064	internal886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
3012	886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3064	internal886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3064	internal886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe
3064	internal886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe
3064	internal886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3064	3012	886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe	28
PID 3012 wrote to memory of 3064	3012	886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe	28
PID 3012 wrote to memory of 3064	3012	886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe	28
PID 3012 wrote to memory of 3064	3012	886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe	28
PID 3012 wrote to memory of 3064	3012	886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe	28
PID 3012 wrote to memory of 3064	3012	886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe	28
PID 3012 wrote to memory of 3064	3012	886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe	28
PID 3064 wrote to memory of 2080	3064	internal886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2080	3064	internal886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2080	3064	internal886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2080	3064	internal886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\nsj6B05.tmp\internal886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsj6B05.tmp\internal886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsj6B05.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsj6B05.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\25111.bat" "C:\Users\Admin\AppData\Local\Temp\AE231EB3BF1C435696BA61C1662F77E1\""
    3⤵
    PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\$I2XB2SN

Filesize
544B

MD5
f06265101b1ae09b58e0ca437f0b5dfa

SHA1
0efbc573cae03cf9c7a5069f39e94028e3b7dfed

SHA256
3250e0e7d5aa0bcceefb12dec0a925271c5f271569ae26c87a8bbacfc5c16df2

SHA512
97bfd48f853518cf608d429c6518b91b67b731f28761f74aa0dd3fa99e48a72a83c91b6a7095aa804df9648c70a63e62531917fa18b18a54f1ee5e290065d9ce

Download Submit
C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\$ICT4A1D

Filesize
544B

MD5
2a11ff5404844026c87ab09facf3d027

SHA1
8a3f0af63cbb14ea7b1fa49563d42c09031b97a1

SHA256
3f41ad4bca1a7bc1d3b93f09176f37b4e25c2a7f7f5831c7a654e1a268e44fc3

SHA512
136359c5f1281ba9def9a123418291f5a92f1f205f55cbfe32966bd9096b6adeff999a2a9a8d14df1c209f8518e014aa24cd958b59b08c3efd1c95f139156007

Download Submit
C:\Users\Admin\AppData\Local\Temp\25111.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE231EB3BF1C435696BA61C1662F77E1\AE231EB3BF1C435696BA61C1662F77E1_LogFile.txt

Filesize
2KB

MD5
a5d2e5248382bc0b40bf36daf18629ec

SHA1
7a4bd8cae3de1507f07636364d415e9a6d877ecf

SHA256
f3eff33857dae34b296d091bede057ec7d068aeed81aad39e92b0256cabe5f20

SHA512
f86e77ab6a4d6379060180ec782c20295a7a97f8f18a4081c4b85adf3143158edac1a9c143489e5022583a840369e1926143920cc22e83820f2aa48d6c3b0de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE231EB3BF1C435696BA61C1662F77E1\AE231EB3BF1C435696BA61C1662F77E1_LogFile.txt

Filesize
3KB

MD5
f1407250488a571aad6a219b5630f061

SHA1
0c389b536326f2c070a8588cccdfdd5d9e4dd299

SHA256
ca00dec58fe8b5c19e1a45b4c99f7572200f41ab044e8cb137263263e2635dcf

SHA512
ebfed20bf8e85a7b5c3e0696f57a756ee1818cc343580674ee5820b3574ee114ea349bd96befbadaac5e87c757e8de683ed5b912ed21fd2946e656b62d0e811c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE231EB3BF1C435696BA61C1662F77E1\AE231EB3BF1C435696BA61C1662F77E1_LogFile.txt

Filesize
3KB

MD5
d047b5a9db0e88baef8df4f9a9241305

SHA1
1b5c34b6e89bfb8625377b869ef1d518dae481b2

SHA256
d20de5ca65e513731212f854e57cd499ddfeef3a6441cfeb65324f27f2f03092

SHA512
55244e61be2616e27005ee6f50a9dc00dd5c26b194ba5fb38db0d7f4f11ecf3a347523cb2a7712db359cb83816535eee57fd00293a3bbcef8dc4b571e5ec5dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE231EB3BF1C435696BA61C1662F77E1\AE231EB3BF1C435696BA61C1662F77E1_LogFile.txt

Filesize
4KB

MD5
302fb45c0636273eb1a7adf6e9386c81

SHA1
e941817028a23c9c55d24706f649d66d1d30a5a6

SHA256
a414a3058ac5db0df052913c94257268ca55c7d0046cbc69005fb75fffda5c07

SHA512
387132f5ab73fa60a343d325f98019903acf7709d25966c39af7fd35dc951981c24da6d712c20716ecf7324fb02151cb0b38ccc6ffdfd26351b0720df855049e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE231EB3BF1C435696BA61C1662F77E1\AE231E~1.TXT

Filesize
28KB

MD5
20a6003f17a7de15cd30349bd26ec482

SHA1
609504c2d231800effd9e83476b10a143acead20

SHA256
8905277c12f450f8e9d2b387f44bfb14ed9849f8d9a634adeb4ba8318056168e

SHA512
21868216ef9c5709ccf4d8fbfab232dcd5f42ad70e391fb219de0f008cbf019286e23d31010cfce4d974e2578e149b52173626e87036e0e09b8d9da9ad2d9cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6B05.tmp\internal886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6B05.tmp\internal886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6B05.tmp\internal886dcb03bf8bb33f772b4eb25f226781_JaffaCakes118.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
memory/3012-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3012-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-76-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/3064-213-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download