4cd5e9da03cf453504bd3d4f48dd4263b27176d9fd1c66492d69ac8547ac254b

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16/06/2024, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4c463403e28d202d08d418caead6491_JaffaCakes118.exe
Size

762KB
MD5

b4c463403e28d202d08d418caead6491
SHA1

d5827a9d8081d7ebd908241d95a456192121a729
SHA256

4cd5e9da03cf453504bd3d4f48dd4263b27176d9fd1c66492d69ac8547ac254b
SHA512

68c0887aaadb9fb987dc16a9aa50cfda70611978f67ea8fe21e1e4dd14557416d74bf3420f422990f66f7d1db084beb96b5f467eb2f19d9416ec9149401a1268
SSDEEP

12288:YtobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnA:YtDltItNW7pjDlpt5XY/2TkXKza/298

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2980	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2808	b4c463403e28d202d08d418caead6491_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1632	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2980	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2980	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe
2980	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe
2980	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2980	2808	b4c463403e28d202d08d418caead6491_JaffaCakes118.exe	28
PID 2808 wrote to memory of 2980	2808	b4c463403e28d202d08d418caead6491_JaffaCakes118.exe	28
PID 2808 wrote to memory of 2980	2808	b4c463403e28d202d08d418caead6491_JaffaCakes118.exe	28
PID 2808 wrote to memory of 2980	2808	b4c463403e28d202d08d418caead6491_JaffaCakes118.exe	28
PID 2808 wrote to memory of 2980	2808	b4c463403e28d202d08d418caead6491_JaffaCakes118.exe	28
PID 2808 wrote to memory of 2980	2808	b4c463403e28d202d08d418caead6491_JaffaCakes118.exe	28
PID 2808 wrote to memory of 2980	2808	b4c463403e28d202d08d418caead6491_JaffaCakes118.exe	28
PID 2980 wrote to memory of 2984	2980	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2984	2980	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2984	2980	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2984	2980	internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe	30
PID 2984 wrote to memory of 1632	2984	cmd.exe	32
PID 2984 wrote to memory of 1632	2984	cmd.exe	32
PID 2984 wrote to memory of 1632	2984	cmd.exe	32
PID 2984 wrote to memory of 1632	2984	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\b4c463403e28d202d08d418caead6491_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4c463403e28d202d08d418caead6491_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\nsy1180.tmp\internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsy1180.tmp\internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsy1180.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/b4c463403e28d202d08d418caead6491_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsy1180.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\9599.bat" "C:\Users\Admin\AppData\Local\Temp\51AA8024D7D8427EBC7D621FDD7AD277\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\$IDEZJX4

Filesize
544B

MD5
edaf3597efc6d9ff0ebf715b1e979685

SHA1
4bff62fbd933c9b95d0d28c5e51614c999962e9d

SHA256
55867af412b61773680644134efb154cbc69fb9ca3dbfd042f77ad6dfe7e38e1

SHA512
b9449e369120d1cbff75d964866f566057b1dd0dfdf4bf5dcd647c022af51677fd455ce73305eefa005cf2e4ed54d39582338ce82ee47a5decc4e54d4fd0e084

Download Submit
C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\$ILBGGSM

Filesize
544B

MD5
ac91225c5ce96bf0920033b3efc41c70

SHA1
bf5707408876740fc121262df7031a8568200849

SHA256
e080c27d1b1eecd54553b696a84ceeb766cf53b550d5a6f24f22099cd60e61ca

SHA512
c70b52d59e43184744bd673674c6c2e0c0df33d021d7ba1f051ce8cd415efbbbe00c55e5088bf552225966f4373c2a68d0eed04c6995eab42302d72fbf57b7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\51AA8024D7D8427EBC7D621FDD7AD277\51AA8024D7D8427EBC7D621FDD7AD277_LogFile.txt

Filesize
2KB

MD5
ef4b49f69077e91eca08ff025c7fa874

SHA1
d7719c8e7e7d5ecc99a455f351dd389c2f5d2a3c

SHA256
8f4326a5deddd3bce794cb0d2b915165bc62402c7b69d2830dccf114098d0ef7

SHA512
71b325836e6475217a16faa673dab41d628919cc4a6f8a1c903e74ca13675b6eff335b88f9f00770b93b236334c4ee76e3aaeb23421697adc6d77af916f0891a

Download Submit
C:\Users\Admin\AppData\Local\Temp\51AA8024D7D8427EBC7D621FDD7AD277\51AA8024D7D8427EBC7D621FDD7AD277_LogFile.txt

Filesize
3KB

MD5
d55279532d9d9ad7545bbe9a2f31f191

SHA1
81b40cc5f13f2cd1af22a5de855a9ae250ac48ac

SHA256
509021feeb0716a389e6d5c3dd62e2c94ea3af37939f6f3473ee3829142af92b

SHA512
402ce695612ac526e315b9829082c935a49f58175aaea1c128b8b38dc18b809a0be1ea69f552f6b6a875d3ee1bf26884e06369d1838e10a3f4c26f4a49b4b5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\51AA8024D7D8427EBC7D621FDD7AD277\51AA8024D7D8427EBC7D621FDD7AD277_LogFile.txt

Filesize
5KB

MD5
dd971652426300996dc983a99224e4a3

SHA1
5e2e2f2a7982854310d12e36dce71396d97e0984

SHA256
728722177ab57baa632702e234b9a6186c7fc5ff72335fc6fcbb5607f2a27779

SHA512
a24e7b7eb3e7540ee2428c91291befafc5d9867ff7cd422fce77b74426af7413e2bca6d06183dca7d52aaa78186072075a94f6fbfaf207207be0cc49117ddac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\51AA8024D7D8427EBC7D621FDD7AD277\51AA80~1.TXT

Filesize
26KB

MD5
de297073277c0853af358192cb00caf4

SHA1
92dc09f2f1a40a5e8d0ee86eeeb0b0eb9c294318

SHA256
d03db378e9df92f12755e7249e1c274d8f21f6f5ee2a93de368165b3e92a3459

SHA512
6d3734f3f3c754056c57abbed3103f6c35e9b32745c16d67b666138ad8293972565b4caf2287743ca655a132db4b9ce0283d2748c0e07234ae7c45a7830275e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9599.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1180.tmp\internalb4c463403e28d202d08d418caead6491_JaffaCakes118_icon.ico

Filesize
31KB

MD5
1f047e870359e4ef7097acefe2043f20

SHA1
82ab7362f9c066473b2643e6cd4201ccbf0bb586

SHA256
f8aa104cfb7abbceac412d4906ce10f5cf576dd4eb9a525103946d692c55734e

SHA512
e4e779676d19d84507250adcffcd9cba99c1666f7678f832c03e41f5f264d16a43ae924d8e29e783d84b2742be1a45803aec99a36b9a3784c4f2d6edd297e286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1180.tmp\internalb4c463403e28d202d08d418caead6491_JaffaCakes118_splash.png

Filesize
65KB

MD5
ef1514e5d2bcf830b39858f0736d7de7

SHA1
832214b62cb3e56f858a876fc3f09cb3c3324cbb

SHA256
c61599b0e0207ac5f7db1551e96818ec4abcbf77def4afe00fb2bbccc2ca6bb1

SHA512
cf547ad17ca774bb18c3931625eb3c7b6fe208af433332efa11653605f346d5449289739dbce66aef1c50fb134966419defcb02fd5bb206f8a2211f0e4b0e45d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1180.tmp\internalb4c463403e28d202d08d418caead6491_JaffaCakes118.exe

Filesize
1.7MB

MD5
d4c16982f8a834bc0f8028b45c3ae543

SHA1
9d9cec9af8f23a23521e20d48d9af1024663a4a7

SHA256
932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b

SHA512
c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c

Download Submit
memory/2808-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2808-275-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2980-157-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2980-76-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download