f026d50b07ce03513c5692b161d76c3da6f521c86b84c5784506bf8f83de4b02

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.exe
Size

31.0MB
MD5

9be52b324ea275a3d674c7813e57cc84
SHA1

6830bc06f59f5969ee26dcec04b16f2d45084ca1
SHA256

f026d50b07ce03513c5692b161d76c3da6f521c86b84c5784506bf8f83de4b02
SHA512

7ecaa98b407fd3afeb96670415f98ad45c5b51105c55f80a4f1e3f2738e7d767e4ad04326b0e1076d2f7ce68db707b122f5cdfaa5f7ca1ba965cddf74440a252
SSDEEP

786432:6+KyiqgwpT/LgJISI+i01/SGXcff6GCdgkJYeVKuiy3MPuqyR:6+L1gw2eRbHfMgkjIMMPuH

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1640	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.tmp

Loads dropped DLL 1 IoCs

pid	Process
2076	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3004	NETSTAT.EXE
2976	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	NETSTAT.EXE
Token: SeDebugPrivilege	2976	NETSTAT.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1640	2076	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.exe	28
PID 2076 wrote to memory of 1640	2076	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.exe	28
PID 2076 wrote to memory of 1640	2076	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.exe	28
PID 2076 wrote to memory of 1640	2076	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.exe	28
PID 2076 wrote to memory of 1640	2076	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.exe	28
PID 2076 wrote to memory of 1640	2076	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.exe	28
PID 2076 wrote to memory of 1640	2076	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.exe	28
PID 1640 wrote to memory of 2936	1640	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.tmp	29
PID 1640 wrote to memory of 2936	1640	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.tmp	29
PID 1640 wrote to memory of 2936	1640	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.tmp	29
PID 1640 wrote to memory of 2936	1640	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.tmp	29
PID 2936 wrote to memory of 3004	2936	cmd.exe	31
PID 2936 wrote to memory of 3004	2936	cmd.exe	31
PID 2936 wrote to memory of 3004	2936	cmd.exe	31
PID 2936 wrote to memory of 3004	2936	cmd.exe	31
PID 2936 wrote to memory of 2556	2936	cmd.exe	32
PID 2936 wrote to memory of 2556	2936	cmd.exe	32
PID 2936 wrote to memory of 2556	2936	cmd.exe	32
PID 2936 wrote to memory of 2556	2936	cmd.exe	32
PID 1640 wrote to memory of 2796	1640	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.tmp	33
PID 1640 wrote to memory of 2796	1640	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.tmp	33
PID 1640 wrote to memory of 2796	1640	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.tmp	33
PID 1640 wrote to memory of 2796	1640	9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.tmp	33
PID 2796 wrote to memory of 2976	2796	cmd.exe	35
PID 2796 wrote to memory of 2976	2796	cmd.exe	35
PID 2796 wrote to memory of 2976	2796	cmd.exe	35
PID 2796 wrote to memory of 2976	2796	cmd.exe	35
PID 2796 wrote to memory of 2724	2796	cmd.exe	36
PID 2796 wrote to memory of 2724	2796	cmd.exe	36
PID 2796 wrote to memory of 2724	2796	cmd.exe	36
PID 2796 wrote to memory of 2724	2796	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\is-1G7VG.tmp\9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1G7VG.tmp\9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.tmp" /SL5="$40112,32183443,57856,C:\Users\Admin\AppData\Local\Temp\9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:"0.0.0.0:80 "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -na
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3004
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:"0.0.0.0:80 "
      4⤵
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:"0.0.0.0:443 "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -na
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2976
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:"0.0.0.0:443 "
      4⤵
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-1G7VG.tmp\9be52b324ea275a3d674c7813e57cc84_JaffaCakes118.tmp

Filesize
708KB

MD5
c9d9480f660dc96dd8bd027ceee9a80d

SHA1
28b045d64197f09a1b69a00f6380625f8fcdbb6b

SHA256
c756e1ffd47dad1dd84c5dbb73660916bb1d24499523a1485b1c3a42adcac6cb

SHA512
44d1a455934ae0db05a7f1355b73e24773e0fa416f1cd51efc83eaf4ede32c56228914917691514032e564ab745f5d2006f640406593cc29e4e59785136030a8

Download Submit
memory/1640-9-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1640-11-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2076-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2076-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/2076-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download