Analysis Overview
SHA256
8bf27f7fef888a9a66d13de729f3ad30419602ae1f1ecdbb0c3aa67fe7c9a525
Threat Level: Shows suspicious behavior
The file 05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Writes to the Master Boot Record (MBR)
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 11:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 11:11
Reported
2024-06-20 11:13
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe"
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 11:11
Reported
2024-06-20 11:13
Platform
win7-20240611-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\DtcInstall.log | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\DtcInstall.log | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05757d9d5b3ab79866ff01439e35d19c_JaffaCakes118.exe"
C:\Windows\DtcInstall.log
C:\Windows\DtcInstall.log
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\Temp\red1.bat
Network
Files
memory/2240-2-0x0000000000470000-0x00000000004DE000-memory.dmp
C:\Windows\DtcInstall.log
| MD5 | ab62232e4a6bfbe78ee7e2034ca5b103 |
| SHA1 | 426a0e9149a6a9b8fa5a85aa2328d16ca717cfc4 |
| SHA256 | 60be6d417c86b06b6ee3bcf46fd4b851f3abff454064b8bec6d22bf4881b0896 |
| SHA512 | b756d2cb99e7c111c59986d69f07c0c3df7fe481f75f17b36e1ee52ccf137d28cc6411808be1d31dabd45054205dcb9b34b410d1776b553048f808c88bfe0e0a |
memory/1564-13-0x0000000000400000-0x000000000046E000-memory.dmp
C:\Windows\Temp\red1.bat
| MD5 | 1084c776c10d0d79c5656843a849921d |
| SHA1 | eb939e468299ed0e124e49042e75cb5f01bd146f |
| SHA256 | a32c88128b9515e44645c838c3756c78bdc855f34808656134cb1714d8fc5460 |
| SHA512 | 33e75bb5577042b2e21fadf1332a6e47cc54a69217a75116f5c272d5990f271476e27b71492271b2d14c21c1901da86a73e51a7c1303d684081c759e282a7433 |
memory/1564-14-0x000000000044B000-0x000000000044C000-memory.dmp
memory/1564-16-0x0000000000400000-0x000000000046E000-memory.dmp
memory/1564-19-0x0000000000740000-0x0000000000743000-memory.dmp
memory/1564-18-0x0000000000400000-0x000000000046E000-memory.dmp