876a26abe9cf9eff3dff2f455f53248b67ea60e6edd9c516ea988369aff228bd

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 18:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8ef3df376feb431f75af732c6659de56_JaffaCakes118.exe
Size

1.6MB
MD5

8ef3df376feb431f75af732c6659de56
SHA1

b374fe334ff4bac42bf346bdc5553e0a7a5ee744
SHA256

876a26abe9cf9eff3dff2f455f53248b67ea60e6edd9c516ea988369aff228bd
SHA512

e0378e19fe7d3dda3c4b87db2e76b1e2da5e5c24e863820a236c3517fb964f989587546b3abe365b262a78e5b30f8b1d15628542d268fb3b35a4a68604c67ce1
SSDEEP

49152:sZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9:sGIjR1Oh0T

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3004	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2980	8ef3df376feb431f75af732c6659de56_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2980	8ef3df376feb431f75af732c6659de56_JaffaCakes118.exe
2980	8ef3df376feb431f75af732c6659de56_JaffaCakes118.exe
2980	8ef3df376feb431f75af732c6659de56_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2056	2980	8ef3df376feb431f75af732c6659de56_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2056	2980	8ef3df376feb431f75af732c6659de56_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2056	2980	8ef3df376feb431f75af732c6659de56_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2056	2980	8ef3df376feb431f75af732c6659de56_JaffaCakes118.exe	30
PID 2056 wrote to memory of 3004	2056	cmd.exe	32
PID 2056 wrote to memory of 3004	2056	cmd.exe	32
PID 2056 wrote to memory of 3004	2056	cmd.exe	32
PID 2056 wrote to memory of 3004	2056	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\8ef3df376feb431f75af732c6659de56_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ef3df376feb431f75af732c6659de56_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\25472.bat" "C:\Users\Admin\AppData\Local\Temp\6860C75FF5684EE08C442048EAA14E87\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25472.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\6860C75FF5684EE08C442048EAA14E87\6860C75FF5684EE08C442048EAA14E87_LogFile.txt

Filesize
2KB

MD5
c1907c81e9120bf2ab86cbde7bf5a196

SHA1
c0b819425c3a3052b1fa6252a9723ef432a0e04b

SHA256
8570505fa98c9f34f5de0d8de154bb5a1eab5401d8ac78b0f8a180ecdbc1a95b

SHA512
6c39103e2dc562fe3153c807232dcf0465a23558d79ec6d73cd678d39795989cb31868c2e94bf5cf48dd1418cb9864ec982e9d4cccc1c5e97b2b9f93887f8cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6860C75FF5684EE08C442048EAA14E87\6860C75FF5684EE08C442048EAA14E87_LogFile.txt

Filesize
10KB

MD5
e63b5f5f8932fbb015389f104ca1cb14

SHA1
6648917a8f1441c0df11b64c59378722d17e77c6

SHA256
b3a7b8f080554133ab1084333e98726bbb4b40e42a5c12d86c8cd44044dc3f38

SHA512
810fb62ffa696fa37bf4de7dac14fe583e47299f653827765e51240a6d2af64790a60e9f4940bf084d73c1d1887fea717584d734035c049bb3a418b79b7e360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6860C75FF5684EE08C442048EAA14E87\6860C7~1.TXT

Filesize
99KB

MD5
7856f13ab104f13bb98123ad9c3c9fdb

SHA1
9a9f1bdf30f32bf0f637b888cc77190fd931169b

SHA256
57d953cb7b418f691181757a71b32585cd5cfe08841ea825e9a2a4348b3cf6e3

SHA512
d3fb41bccf73b73d2a79d31d93f9bbfe24f1eebc5e068191c3004c906acf3e2021fb7c66ad0072b728b5637f00441657e68c1a098a50c32dfc1e4f954200d360

Download Submit
memory/2980-63-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2980-182-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download