573b7774188b3605c359e85530678ffa4a0c7593044bec33dc8b1b4f8fb30f62

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 06:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe
Size

1.7MB
MD5

9a20aca3af6c31fb6b75c8e0d0f11ca9
SHA1

5677bd60d8cd6ab79653adc4a51eabe213f0cbd2
SHA256

573b7774188b3605c359e85530678ffa4a0c7593044bec33dc8b1b4f8fb30f62
SHA512

25893736dacba39de1cc0e87908ac4962a26867708879faf4cce886c39fb99d93ff2c8c13e6f7944de8fcaa9606c9171437c9e9f3f7747a3d9f4ce967fa515f8
SSDEEP

24576:6L17cygrFRXppEya9WX0gvBBBdRI2TuEzDj1ZZ5F2jnO2g3AvuSWoyuJ7v4r6x3k:AcyWnaEE6B+fEzDjo20TsGM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2512	PreSetup.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe
File opened (read-only)	\??\B:	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe
File opened (read-only)	\??\E:	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1400	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe
Token: SeRestorePrivilege	1400	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe
Token: SeRestorePrivilege	1400	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe
Token: SeRestorePrivilege	1400	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe
Token: SeRestorePrivilege	1400	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe
Token: SeRestorePrivilege	1400	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe
Token: SeRestorePrivilege	1400	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2512	1400	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe	28
PID 1400 wrote to memory of 2512	1400	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe	28
PID 1400 wrote to memory of 2512	1400	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe	28
PID 1400 wrote to memory of 2512	1400	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe	28
PID 1400 wrote to memory of 2512	1400	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe	28
PID 1400 wrote to memory of 2512	1400	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe	28
PID 1400 wrote to memory of 2512	1400	9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9a20aca3af6c31fb6b75c8e0d0f11ca9_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- F:\msdownld.tmp\IXP000.TMP\PreSetup.exe
  F:\msdownld.tmp\IXP000.TMP\PreSetup.exe
  2⤵
  - Executes dropped EXE
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

F:\msdownld.tmp\IXP000.TMP\PreSetup.exe

Filesize
28KB

MD5
8b64e2b313f2fd2cbfd5c8877cae4b23

SHA1
844adb1b75574068b34ea66793c11d4f9e9f9974

SHA256
4a8c69cff6d9a6ace7d09d776be96a3aa4873cd62b73ffff5886d9083ed674f9

SHA512
f83f0bd8d83aa37086e868fa8507d3ada89dbd81245ffd9c90ac325f2e0ff384187d7a8eb3ee6d129c61f254a9d3bcb5460ba01c2ca431334756b978e181086f

Download Submit
F:\msdownld.tmp\IXP000.TMP\VCRedist.inf

Filesize
3KB

MD5
047585243bc188250aaafa789d33d281

SHA1
cc781b188cc165fb1ceb8c97e6b433bd5b05f3a5

SHA256
14f59a4c5eebbbdeae253a0d7dc6a1dae879ee214e500b7fbf7ab44039f226c5

SHA512
30aefb71ceb097248b0ba28148eb185624fc2ee8385fdca601413e530bfc68a290ceaf4b3f0ddd813aab5e228807648ce439f3237001ced6fa7762a882ad9a43

Download Submit