3de2443348dd4ee50f1664f0882b9dbd4b19f61be684e131e75de77e36ba8200

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af0acb4d57524ec7a3778c87f667e62a_JaffaCakes118.exe
Size

2.3MB
MD5

af0acb4d57524ec7a3778c87f667e62a
SHA1

bc6f4a31fe11237c029cc547b13b27ac93ea5025
SHA256

3de2443348dd4ee50f1664f0882b9dbd4b19f61be684e131e75de77e36ba8200
SHA512

a6efafca60671c14b68f5a2ad367db16a40337a23181a85f246ad1b5d17fd60e22b02a689e4c0a9527796b3687dc9d5c1de0754f292bfb0928a0cbbefa9567f2
SSDEEP

12288:0o8ju7cNviIHcAqAXAwq/OdjFuxvDwrccpnJ3b/Jhaji:t8j0KviM+AHEAsv8rcwnJ3b/J+

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2932	af0acb4d57524ec7a3778c87f667e62a_JaffaCakes118.exe
2932	af0acb4d57524ec7a3778c87f667e62a_JaffaCakes118.exe
2096	af0acb4d57524ec7a3778c87f667e62a_JaffaCakes118.exe
2096	af0acb4d57524ec7a3778c87f667e62a_JaffaCakes118.exe
2096	af0acb4d57524ec7a3778c87f667e62a_JaffaCakes118.exe
2096	af0acb4d57524ec7a3778c87f667e62a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2096	2932	af0acb4d57524ec7a3778c87f667e62a_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2096	2932	af0acb4d57524ec7a3778c87f667e62a_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2096	2932	af0acb4d57524ec7a3778c87f667e62a_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2096	2932	af0acb4d57524ec7a3778c87f667e62a_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\af0acb4d57524ec7a3778c87f667e62a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af0acb4d57524ec7a3778c87f667e62a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\af0acb4d57524ec7a3778c87f667e62a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\af0acb4d57524ec7a3778c87f667e62a_JaffaCakes118.exe main
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wowshell.log

Filesize
751B

MD5
b886a23512c139960165803be7ff4c04

SHA1
eb318cfe52c00a91d2329783b7871964441fad2c

SHA256
0efc66a830a2a4dcdd3b3eb70a980625db34f335a5417bee822220ca4f72d80a

SHA512
cb10ac124b1986dcb506562bac9f36c8be75a62baf789ed3b6795dfcf3ccd33892e5b2f8688832a9707be1cc6c95d3c4563995f0bbf22529fc13b68d1dbde112

Download Submit
memory/2932-0-0x0000000000400000-0x0000000000642000-memory.dmp

Filesize
2.3MB

Download