Analysis Overview
SHA256
0f7b91904b6905c785451b5f41a8a2fa276451ac98a70ec44e2ded6a6c423d55
Threat Level: Shows suspicious behavior
The file a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
AutoIT Executable
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 09:45
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 09:45
Reported
2024-06-13 09:48
Platform
win7-20240611-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2068 wrote to memory of 2008 | N/A | C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2068 wrote to memory of 2008 | N/A | C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2068 wrote to memory of 2008 | N/A | C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2068 wrote to memory of 2008 | N/A | C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\s.cmd
Network
Files
memory/2068-0-0x0000000000400000-0x00000000004B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\s.cmd
| MD5 | 8d76026c923c121fafb0b0cf7a893af5 |
| SHA1 | ec71c4ff1ffbdbb69ac766ae41b837f9bb3ba5a2 |
| SHA256 | 14157111110afbfb93a20a87e89601ad8d999baed31a1c798fa4f3b7021314a8 |
| SHA512 | 03e8114d7df1a874fe949d5cda806273b981fc273c84d595d38559c6c9b530d125f0dfb676973e7d00f69095ade71524a143b06ba8d002290835cbab662285a6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 09:45
Reported
2024-06-13 09:48
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
52s
Command Line
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 620 wrote to memory of 312 | N/A | C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 620 wrote to memory of 312 | N/A | C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 620 wrote to memory of 312 | N/A | C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a4e9f54ac71aba1dc3e9d576751e30af_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\s.cmd
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/620-0-0x0000000000400000-0x00000000004B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\s.cmd
| MD5 | 8d76026c923c121fafb0b0cf7a893af5 |
| SHA1 | ec71c4ff1ffbdbb69ac766ae41b837f9bb3ba5a2 |
| SHA256 | 14157111110afbfb93a20a87e89601ad8d999baed31a1c798fa4f3b7021314a8 |
| SHA512 | 03e8114d7df1a874fe949d5cda806273b981fc273c84d595d38559c6c9b530d125f0dfb676973e7d00f69095ade71524a143b06ba8d002290835cbab662285a6 |