f5be14aa53f6c45ac6bcb020450a038f78bdf384880f6b6a02f920a2ecc4e2df

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 04:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

89572251d9371cf28e3e0e97f6adea7e_JaffaCakes118.exe
Size

1.6MB
MD5

89572251d9371cf28e3e0e97f6adea7e
SHA1

76df27a421e518f527ca0e75360067e956f159f0
SHA256

f5be14aa53f6c45ac6bcb020450a038f78bdf384880f6b6a02f920a2ecc4e2df
SHA512

18d5642731af94da1673464ef9f4f83eb6434a595dafe25914bb10cb05d9bfc13f199204630c35faf6552e8c280e86f63c9470acbdd3f96e2d1017daad6d0805
SSDEEP

49152:lZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9J:lGIjR1Oh0Td

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2312	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3008	89572251d9371cf28e3e0e97f6adea7e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3008	89572251d9371cf28e3e0e97f6adea7e_JaffaCakes118.exe
3008	89572251d9371cf28e3e0e97f6adea7e_JaffaCakes118.exe
3008	89572251d9371cf28e3e0e97f6adea7e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 1796	3008	89572251d9371cf28e3e0e97f6adea7e_JaffaCakes118.exe	30
PID 3008 wrote to memory of 1796	3008	89572251d9371cf28e3e0e97f6adea7e_JaffaCakes118.exe	30
PID 3008 wrote to memory of 1796	3008	89572251d9371cf28e3e0e97f6adea7e_JaffaCakes118.exe	30
PID 3008 wrote to memory of 1796	3008	89572251d9371cf28e3e0e97f6adea7e_JaffaCakes118.exe	30
PID 1796 wrote to memory of 2312	1796	cmd.exe	32
PID 1796 wrote to memory of 2312	1796	cmd.exe	32
PID 1796 wrote to memory of 2312	1796	cmd.exe	32
PID 1796 wrote to memory of 2312	1796	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\89572251d9371cf28e3e0e97f6adea7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89572251d9371cf28e3e0e97f6adea7e_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\27744.bat" "C:\Users\Admin\AppData\Local\Temp\F19648FB6FE54EAEB35F91BA51AB85E7\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27744.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\F19648FB6FE54EAEB35F91BA51AB85E7\F19648FB6FE54EAEB35F91BA51AB85E7_LogFile.txt

Filesize
2KB

MD5
9d70a0157656500e889956d16b4b4d56

SHA1
238fb0d49352a919d8c2de27a9f3ace132179cd6

SHA256
8da35b223443b47053d7fae6b0f18e5fcf7817b7d9c86920ed3dc77129397c05

SHA512
853fb9267ceefc4adb8de28d204db1bc32be089c0ada5f0bd1458a09b37c8b1503b099a4451d37bbc88e30cd15f4bdf2d29a32f18a0d0d6c1fc40e30b233d142

Download Submit
C:\Users\Admin\AppData\Local\Temp\F19648FB6FE54EAEB35F91BA51AB85E7\F19648FB6FE54EAEB35F91BA51AB85E7_LogFile.txt

Filesize
9KB

MD5
a953e6e954690fce31a6e1bda7f2c936

SHA1
ee40705137f11f6fdb654a558be01887a49a50e6

SHA256
aac24c1eda492de55c337243af06fc527c30bf73369f1811bc3c0513da184b43

SHA512
43b9637af8e3799a0689b3f4994cbdf58a5dc0b0ced93a8a27bee613080705c1b128dac1d3335c43e9379f13812c2f88cff8f8c413db71ca72cd42f8b83d0845

Download Submit
C:\Users\Admin\AppData\Local\Temp\F19648FB6FE54EAEB35F91BA51AB85E7\F19648~1.TXT

Filesize
99KB

MD5
96a70322fcb2da47baa0775bd23e660f

SHA1
f93dceea0b879e92d77ad9ec8d4dcaf6b17d9164

SHA256
b933075357aed167e2aa5b9870fe76e333175658f018d6e62920f2e0a10c433d

SHA512
cbac0b799a9fc71e10eae521b4e283af8184752c6c00380f7f91a17510f577f89b6b98b1b1956ada07c0a143a259810f00989f436123425a13700e9127bd0bd1

Download Submit
memory/3008-63-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/3008-179-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download