826245a18d2ae0a7ecefbd4dcb092d791c4df814a20d4bf469afd5d53454289a

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe
Size

762KB
MD5

8836a52aa23cff25eecc6ec8a2dafb5f
SHA1

e0569db5a25ac6f312c650758ed878ced40ace0e
SHA256

826245a18d2ae0a7ecefbd4dcb092d791c4df814a20d4bf469afd5d53454289a
SHA512

53846fa3f7086f60b12071fff33a0582fb7a6372823d332e9815c1db60cf0054608d0f4a4067b49fa4dd9d89e912bfefa575ed1dc19e70d3e4c791b1f3fe9c9e
SSDEEP

12288:ctobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnc:ctDltItNW7pjDlpt5XY/2TkXKza/29Y

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2992	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1668	8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1616	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2992	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2992	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe
2992	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe
2992	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2992	1668	8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	28
PID 1668 wrote to memory of 2992	1668	8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	28
PID 1668 wrote to memory of 2992	1668	8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	28
PID 1668 wrote to memory of 2992	1668	8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	28
PID 1668 wrote to memory of 2992	1668	8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	28
PID 1668 wrote to memory of 2992	1668	8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	28
PID 1668 wrote to memory of 2992	1668	8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	28
PID 2992 wrote to memory of 2100	2992	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	31
PID 2992 wrote to memory of 2100	2992	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	31
PID 2992 wrote to memory of 2100	2992	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	31
PID 2992 wrote to memory of 2100	2992	internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe	31
PID 2100 wrote to memory of 1616	2100	cmd.exe	33
PID 2100 wrote to memory of 1616	2100	cmd.exe	33
PID 2100 wrote to memory of 1616	2100	cmd.exe	33
PID 2100 wrote to memory of 1616	2100	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\nso1844.tmp\internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nso1844.tmp\internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nso1844.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nso1844.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\10759.bat" "C:\Users\Admin\AppData\Local\Temp\CAE2D306955D458EB4A9DC49CB67A1C7\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\$IGG5S0T

Filesize
544B

MD5
1e48be773ca4d74ad5abe1684f9c0ddb

SHA1
99ff460aff929642d5d97793a6b33e54e7275ab2

SHA256
69c1bea068cb869b3ddd3e5f4a7aa518daca35876435a791e75a282c2f57b8b5

SHA512
3d456cbba9bd4f6efca9bb680492d050e5b8a286e1d5ccc68ff6cc94d9cfa10937892d0166c0a3a6da22632667ace009362c3bcdf688cabc90c44ec732305340

Download Submit
C:\Users\Admin\AppData\Local\Temp\10759.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAE2D306955D458EB4A9DC49CB67A1C7\CAE2D306955D458EB4A9DC49CB67A1C7_LogFile.txt

Filesize
2KB

MD5
afed7935f3a7fe2a4ce9575f7db26800

SHA1
a58372b21dfe034106b9b4bf1dd0acc3d4bd640d

SHA256
cdc55004847b8c60d328c317792a5075819b0012037b77b06f61f827908df333

SHA512
92ca3e7cfe4d96ec63f874054d187220b57089794d36ed1b0f4765406c2ad937031f1f209939dc1349b4650a193b2e65cec365157a17472e877c3a427b6cf6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAE2D306955D458EB4A9DC49CB67A1C7\CAE2D306955D458EB4A9DC49CB67A1C7_LogFile.txt

Filesize
3KB

MD5
d15c7222b655a26687e5ac9e65b5cd53

SHA1
ed3be7c5a72eea08f9a6412919254fffc71d0c17

SHA256
f8a2ea445c91f2f9bedb68c67d7e1c6af3ef08318215b6837ee9ffe0af66b2d9

SHA512
d6634ab0bdcc83c36c347351ba5f2132142f889301d928f4b8deae77bccd6b7cb2690d4cf017dae86785b267bd38ecadeb142c144b669896ef7c6fba9721575e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAE2D306955D458EB4A9DC49CB67A1C7\CAE2D306955D458EB4A9DC49CB67A1C7_LogFile.txt

Filesize
5KB

MD5
3fdf407f010514934425e3ccf4c6ff6c

SHA1
7bf3e09515f7d20a74362ec53a684d9aa332ec49

SHA256
c94942feef31b067aaea08b95e4d1b16b29ac130cd515e7d2338a777d2c6c4d2

SHA512
eba28fb1b7b7add1ba4fe01134061d6d452e1be449d735c80f8bca46f0b8b0d628a323643a52f82c428eef5667ffc2439ac9a1634236ee2c4e765851e8f9fd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAE2D306955D458EB4A9DC49CB67A1C7\CAE2D3~1.TXT

Filesize
27KB

MD5
c070f00deae0ace63f50a99c48586148

SHA1
ca836bb009ef8136842c2b830942179a13dec5c3

SHA256
f892119c0bddd44f907c3590baa80cf27317ecbac3860977b6d55aa6703dfb62

SHA512
103a409e1193993a1b7066b69f74e799f626fd08e0d169fad1f8dea90be420508be28bcdc1a59330f616c0f37ea8aa825d799fb48074df7ff3ecf39ca95e8040

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1844.tmp\internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1844.tmp\internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
\Users\Admin\AppData\Local\Temp\nso1844.tmp\internal8836a52aa23cff25eecc6ec8a2dafb5f_JaffaCakes118.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
memory/1668-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1668-291-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-209-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2992-77-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download