c81652edd3ccf730035f2d56df752e0a5e43c89b7360cd9243484d1bbe8fa036

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03be069a88d5bdd4ee0db5763c05bcce_JaffaCakes118.exe
Size

82KB
MD5

03be069a88d5bdd4ee0db5763c05bcce
SHA1

7dd235fced09c7a7c5ca5f9802b450231e543ee3
SHA256

c81652edd3ccf730035f2d56df752e0a5e43c89b7360cd9243484d1bbe8fa036
SHA512

fd1d684069a95c657ece9c2b632ab79220c8ff9c1e4e8eb7ec8e95914cf04aa1654de9daffe40c228c76d8bbe9590164b94e740a88dd8af64519a00b00ced4a5
SSDEEP

1536:h/xZLTAncqdhdZAeMSSVIbVJgncq+k3Wh2Q4ghfe/b3s3+EttvLaPXFr:h5ZHKcAJbVJO+k3WUs1e/7s3+ClOXFr

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2612	2844	03be069a88d5bdd4ee0db5763c05bcce_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2612	2844	03be069a88d5bdd4ee0db5763c05bcce_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2612	2844	03be069a88d5bdd4ee0db5763c05bcce_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2612	2844	03be069a88d5bdd4ee0db5763c05bcce_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2612	2844	03be069a88d5bdd4ee0db5763c05bcce_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2612	2844	03be069a88d5bdd4ee0db5763c05bcce_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2612	2844	03be069a88d5bdd4ee0db5763c05bcce_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\03be069a88d5bdd4ee0db5763c05bcce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03be069a88d5bdd4ee0db5763c05bcce_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Dkb..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dkb..bat

Filesize
238B

MD5
b43d07172deb25bee6240522c50526f2

SHA1
2e8aa8ce79b7cfd0fdf173489fb6085348788eb7

SHA256
76f46907dd1105f5f4b1f6ed38c567f4a451107227170fdd6a5ccbedac1a3def

SHA512
1d6f8906bdd077b543096c28809014a0bb0bfa2502d556ead7c8a5c993a18f98d853732b82f5bf1406b6d00e2fe08c3f78520c14b2c0f338b15f647ec5e4ac99

Download Submit
memory/2844-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2844-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download