9e9279746c647b866c4d0a49857541cc29029f4af51c7d7ce3bee9ff1e521807

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05789264712317621a7884b6be00e612_JaffaCakes118.exe
Size

185KB
MD5

05789264712317621a7884b6be00e612
SHA1

4958ccbe87dd8ef95e18748ddfd78054d4645a59
SHA256

9e9279746c647b866c4d0a49857541cc29029f4af51c7d7ce3bee9ff1e521807
SHA512

db451776d3e8a7f20f5c7a06cc6312a80a3128b5c5ea1fa391f31bfd8b2e33cb2357248d1f3cbf0799421b549e04479835f4bdbab5b389841ebfbab2d419214a
SSDEEP

1536:KKQuCwj//LIlk+gSz5B2ATQrnkAXcPI0JR86liNcCcGd9xKQNblHRi/mE+EXWD6J:QmDSz5BZycv8mqdNl0/mEPXWDuV+RDq

Score

6^/10

Malware Config

Signatures

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	05789264712317621a7884b6be00e612_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	05789264712317621a7884b6be00e612_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 2444	2416	05789264712317621a7884b6be00e612_JaffaCakes118.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2444	05789264712317621a7884b6be00e612_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2444	2416	05789264712317621a7884b6be00e612_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2444	2416	05789264712317621a7884b6be00e612_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2444	2416	05789264712317621a7884b6be00e612_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2444	2416	05789264712317621a7884b6be00e612_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2444	2416	05789264712317621a7884b6be00e612_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2444	2416	05789264712317621a7884b6be00e612_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2444	2416	05789264712317621a7884b6be00e612_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2444	2416	05789264712317621a7884b6be00e612_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2444	2416	05789264712317621a7884b6be00e612_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\05789264712317621a7884b6be00e612_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05789264712317621a7884b6be00e612_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\05789264712317621a7884b6be00e612_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\05789264712317621a7884b6be00e612_JaffaCakes118.exe"
  2⤵
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2444-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2444-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2444-10-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2444-6-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2444-4-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2444-2-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2444-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2444-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download