448503a54b7884e050378fb717a3e5bf590c03c31693b6a773afe0e35e9fcc1c

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
Size

762KB
MD5

a2fc100d7e3f231238e49978dfc1b828
SHA1

362a9e6f6db68c3dbe7b56651e1c5f28a094ce64
SHA256

448503a54b7884e050378fb717a3e5bf590c03c31693b6a773afe0e35e9fcc1c
SHA512

da7a38843350966ae11e652c156f807d98b79b622bbc5f2c1bab1fa0a340415f43ed30123d0c8b5e55161fde23ab8c3bffbbf061f644ab649ed351a2038f4c26
SSDEEP

12288:AtobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnI:AtDltItNW7pjDlpt5XY/2TkXKza/29s

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2148	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2980	a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2148	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2148	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
2148	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
2148	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2148	2980	a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	28
PID 2980 wrote to memory of 2148	2980	a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	28
PID 2980 wrote to memory of 2148	2980	a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	28
PID 2980 wrote to memory of 2148	2980	a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	28
PID 2980 wrote to memory of 2148	2980	a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	28
PID 2980 wrote to memory of 2148	2980	a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	28
PID 2980 wrote to memory of 2148	2980	a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	28
PID 2148 wrote to memory of 1724	2148	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	30
PID 2148 wrote to memory of 1724	2148	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	30
PID 2148 wrote to memory of 1724	2148	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	30
PID 2148 wrote to memory of 1724	2148	internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsi5BC8.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/a2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsi5BC8.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\329.bat" "C:\Users\Admin\AppData\Local\Temp\64C34328398846898DA3E2DE05F1F85E\""
    3⤵
    PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\$IOOQG0B

Filesize
544B

MD5
a84af774cdd68fe927b2945baf003f94

SHA1
8bd1699bcf3b98637794a5036c47fa48ffd8b8b1

SHA256
37af9135593b3fafd5db2d5efadbf05024500510645baef3f744c68258c09b26

SHA512
75df6624c87293d931276d941867ebe7f02a128c1b39069af9303234aef633f4b4888964d1ddb3a8b0449e8baa90be2347750e447421c1e201f9d71120cf2b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\329.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\64C34328398846898DA3E2DE05F1F85E\64C34328398846898DA3E2DE05F1F85E_LogFile.txt

Filesize
1KB

MD5
ef1f264f9cd443f924583915aa767cd9

SHA1
da808bc0c6b9ad350a0381eabc8bc1f50a6234a0

SHA256
49c017aaf173d566203ed1561f1a8faace334d73d25dd4a0413f39ba5348bb8c

SHA512
f78736c8a46d40bb5d121130298e6be3a8d848ab9d4bdf03bcb208fe545ac90052d7aab2514f4ae5d6af361fc6f4f4badd785d6b78ef515aea5b90f4367decec

Download Submit
C:\Users\Admin\AppData\Local\Temp\64C34328398846898DA3E2DE05F1F85E\64C34328398846898DA3E2DE05F1F85E_LogFile.txt

Filesize
1KB

MD5
9f5f10db782cbffe13612a55f46bae2a

SHA1
e8e752139a893ec51768eefeb909fc7d59f51db5

SHA256
861920e5535e09f611de438df4ce24399efbdc77ccc5e01270fa313cd884f353

SHA512
63ced942e01ea4e5bb4f7b066297ad1e5c0055ec24d87db0d2bebf1e748b1d6676599b5f1be8c8e51eabcb38b94c8de21cf32eeeb473d002c61dab87b4ea8f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\64C34328398846898DA3E2DE05F1F85E\64C34328398846898DA3E2DE05F1F85E_LogFile.txt

Filesize
5KB

MD5
a2a0034878018d56ea6ef448773a8ed3

SHA1
2eb810120c139155140343ef627284d9965be1a2

SHA256
9c2840d8fcee2a2e14064632f9038cad1c83e2dfbba49d82ae3239214ab60c3c

SHA512
d3cbde4aea8febed4b9b8f4d522c86f2f11f1840a541834d115ee455762de01d013a419446481b3d5e3e871fe345217496083162d27faca3c03986983a57f5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\64C34328398846898DA3E2DE05F1F85E\64C343~1.TXT

Filesize
28KB

MD5
b2440aeee7729027e383ce3b58c6c288

SHA1
0b9a025d2a1880875403d132f534aa83e8f35971

SHA256
eb1408e13ef040705c4295b6ad3b05b41576a94ae20305e7853b65cb2bfb1783

SHA512
410aea63379396c1298b9428133dcbcd3efd56e1b13e830b90809428d409a8f5d386a1ebff0508e9c633f2314be1acf641b96476022b5d652aa43d56fc770703

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5BC8.tmp\internala2fc100d7e3f231238e49978dfc1b828_JaffaCakes118.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
memory/2148-74-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2148-213-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2980-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2980-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download