856be80198034f9fabda3f15e7c17e5bb51fa95b38e5d62f448e4ae59cd6d21c

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17/06/2024, 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe
Size

779KB
MD5

b7dc69e343603e99dee4ed51ce39fce7
SHA1

6a5bb8768f434bf3bdbd679ae05377932671de89
SHA256

856be80198034f9fabda3f15e7c17e5bb51fa95b38e5d62f448e4ae59cd6d21c
SHA512

c21212f9d8d389b2fe9acedd726ec4c6a3bbd37414e84ac297a7e36462e17e83404670623d2e913d901247c16e1c7a38b21d6987810e97a3f422237c99b40b93
SSDEEP

24576:WteurdvnsolYQpuMX14GZdvfAe8xDDgHB5LcmrKBD:WVVsJQd1V4N9DY5Lu

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2108	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2424	b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1588	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2108	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2108	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe
2108	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe
2108	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2108	2424	b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2108	2424	b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2108	2424	b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2108	2424	b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2108	2424	b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2108	2424	b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2108	2424	b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	28
PID 2108 wrote to memory of 872	2108	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	31
PID 2108 wrote to memory of 872	2108	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	31
PID 2108 wrote to memory of 872	2108	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	31
PID 2108 wrote to memory of 872	2108	internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe	31
PID 872 wrote to memory of 1588	872	cmd.exe	33
PID 872 wrote to memory of 1588	872	cmd.exe	33
PID 872 wrote to memory of 1588	872	cmd.exe	33
PID 872 wrote to memory of 1588	872	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\nsi20FA.tmp\internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nsi20FA.tmp\internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nsi20FA.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/b7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsi20FA.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\32321.bat" "C:\Users\Admin\AppData\Local\Temp\AA69EE28F079426283A7E6D1C8966433\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\$IHMRA1B

Filesize
544B

MD5
5028cd13676604d08a006bc42ed3e021

SHA1
00c7f4949477708f1c0a0675563b7db1ab03714d

SHA256
a6883b7d96235fd1054389955c601da7c8840910858ee5bcd4b346d40df08b20

SHA512
b4a60c5e579717932970e652d37e7a8e63b06b94cd820dacee1576d286ef90d11a01d3e5ba96200be8e7859f987b99b0dbbc2bc02abbefa0c97f09bbe56bf751

Download Submit
C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\$IOZ6IMX

Filesize
544B

MD5
9f667eef58a41838f8f02b1679c7bb95

SHA1
3a081408502c340d727a9a40b2153ff9ba631a04

SHA256
2c98965dc6e1bcbdbf2d050056bf16b2aedcc0f2b8b5c9cb7539cc59ab9a1a3a

SHA512
409075d9f4a1bec0979928202d82033b00ecbf3c6694e9f6c90cdc6864018a14085e9be353ab9906177f782424045e5d3f61b21a604b1380278c1f31e96d4758

Download Submit
C:\Users\Admin\AppData\Local\Temp\32321.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA69EE28F079426283A7E6D1C8966433\AA69EE28F079426283A7E6D1C8966433_LogFile.txt

Filesize
1KB

MD5
4605704fe36f5988302a5d1e6e0e4f75

SHA1
a84a076c7863861eb7048f539e465b516bc724c2

SHA256
9dc96d09d921787aa1ca43ee57ea677604fc314d2c0f46d6310e6f6801178ed1

SHA512
45e51f183c2d723f149be4e2e756e11a5757df3560f06032d96fc3ae2766e9ec8b36a3d9b7028fc7c2623215015d4d21656f64015e86281a108d80eda6d24d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA69EE28F079426283A7E6D1C8966433\AA69EE28F079426283A7E6D1C8966433_LogFile.txt

Filesize
3KB

MD5
4c76d6725fc3f360c1c098c037a301fc

SHA1
ad792c9234517ff2ef68fd177945ff4e40bb61cd

SHA256
181bea1ae16e00810197196ae99fc0b1ee8f51b826ee247c3442976be5c8230e

SHA512
8ac8e3f912028ecbf5d2e2e8994a77c4b2aa5d1a694b5afe6f5a507d219392a9c0ea3f566312b6cb599ae3d86eafd7435fbbae32ec8730c8efc9ac48243687e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA69EE28F079426283A7E6D1C8966433\AA69EE28F079426283A7E6D1C8966433_LogFile.txt

Filesize
5KB

MD5
87645ebbf1159cdac0ac15dd3cc53024

SHA1
f5ad5ca029a320a67736eb3073c893b7ed51711a

SHA256
b918bbe1edebc43d4666dd7ca1677a8398e9b4b0882ffbbb7463427b7d1f872a

SHA512
a43d285687eb274747c0942b73b2dca8d626201105a5d963160e15260b67d54576ded4fcad29d571ad62ca42088c3050803feb35b8c6a210cd30bf87a5a821ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA69EE28F079426283A7E6D1C8966433\AA69EE~1.TXT

Filesize
29KB

MD5
643d4d9e94ce0420ab9ca0b6bb8b8569

SHA1
e0cd8a7343f0d90c9fa6f1b739b18098c5f6c068

SHA256
4036fee3926b7b50ba54ba31849c21cbbbd2f2f2f07bae4c919bcfe517740796

SHA512
f037c81e4018f0564e2f6fabc1194bdc96be1f2bde3bb842105efc18428a41384530c12aa5cd8e14c2094a4a017c258d6acde9324a878c405782b4a83da5e3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi20FA.tmp\internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118_icon.ico

Filesize
17KB

MD5
f0b938585d688a56c81a92e16cfcd2fa

SHA1
881e13bfe686092d4ab913698c54a0eca97e8f95

SHA256
f4150b295a647b311d6a63fe7aa39aba115c157050808b0eae149137c4dee316

SHA512
af7b2efde139798c118a34d0ec53475d79048ed966473cb18a64d552c9871411deda6de1e5abdadeec6b71f35099f013265fe3d51490adc55f51166bab8a2973

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi20FA.tmp\internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118_splash.png

Filesize
101KB

MD5
3cb90093892c6fb84a6b16345eec874f

SHA1
ed0f3e9caa22b01d65fa281f539b9a37f82fec3e

SHA256
cbf9cfa4d65f5988c336144ce0d8cba1187cddcecb5b623358c5b95f5d11f674

SHA512
2c0a95c768ab35edd6edc78f01247474bccee0b234a92d793c3b04f160abc3ecd833b0c99065b7619f8e2dcc2dfea540d222c4da66d6030c9d547a91799ae605

Download Submit
\Users\Admin\AppData\Local\Temp\nsi20FA.tmp\internalb7dc69e343603e99dee4ed51ce39fce7_JaffaCakes118.exe

Filesize
1.7MB

MD5
c4ca24ec91ced69fc98fac6fba21dc88

SHA1
b84f3a1ceef89673e31e0be210eb33d865d60659

SHA256
c690bea2115b2a16e23c845785772d14fdb978d32cb22bbbce83f53673eda821

SHA512
5783d1b8599d472039e9afca35590f76fe8930c73af4fa35fb796e819ca6d7219bd7ba1a0a6bcf3e8d76e9d873a078d74857a2318f8bbc3eca34c051a9ca4d41

Download Submit
memory/2108-174-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/2108-74-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/2424-120-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2424-297-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download