2f3044f95aa02cab05ae8f65a130ec07bd91fb128bbe2765b3d590a87835e208

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

068b80e5db838244c82891366e8f1559_JaffaCakes118.exe
Size

32KB
MD5

068b80e5db838244c82891366e8f1559
SHA1

fd68783d656bd51ac6cf9f17018818a68f51044a
SHA256

2f3044f95aa02cab05ae8f65a130ec07bd91fb128bbe2765b3d590a87835e208
SHA512

efa03461bc51858261004717a193d67ac89174f5f2f8b12ec75bde87ffa0ec7f99bfce11de97ab9958fd552794675f3c7a30c94ac8b6840b2d488c1d2c47f397
SSDEEP

384:XcrwKZurWZKuYAWwhJ64XNLYtKi/TE+kOjk0Un1pDhHugvdukDGSne74:XxewJk649LYKr+Un1ugvE+Be7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1372	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
108	tasklist.exe
756	tasklist.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	tasklist.exe
Token: SeDebugPrivilege	108	tasklist.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2764	068b80e5db838244c82891366e8f1559_JaffaCakes118.exe
2764	068b80e5db838244c82891366e8f1559_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 760	2764	068b80e5db838244c82891366e8f1559_JaffaCakes118.exe	32
PID 2764 wrote to memory of 760	2764	068b80e5db838244c82891366e8f1559_JaffaCakes118.exe	32
PID 2764 wrote to memory of 760	2764	068b80e5db838244c82891366e8f1559_JaffaCakes118.exe	32
PID 2764 wrote to memory of 760	2764	068b80e5db838244c82891366e8f1559_JaffaCakes118.exe	32
PID 2764 wrote to memory of 1372	2764	068b80e5db838244c82891366e8f1559_JaffaCakes118.exe	34
PID 2764 wrote to memory of 1372	2764	068b80e5db838244c82891366e8f1559_JaffaCakes118.exe	34
PID 2764 wrote to memory of 1372	2764	068b80e5db838244c82891366e8f1559_JaffaCakes118.exe	34
PID 2764 wrote to memory of 1372	2764	068b80e5db838244c82891366e8f1559_JaffaCakes118.exe	34
PID 760 wrote to memory of 108	760	cmd.exe	36
PID 760 wrote to memory of 108	760	cmd.exe	36
PID 760 wrote to memory of 108	760	cmd.exe	36
PID 760 wrote to memory of 108	760	cmd.exe	36
PID 1372 wrote to memory of 756	1372	cmd.exe	37
PID 1372 wrote to memory of 756	1372	cmd.exe	37
PID 1372 wrote to memory of 756	1372	cmd.exe	37
PID 1372 wrote to memory of 756	1372	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\068b80e5db838244c82891366e8f1559_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\068b80e5db838244c82891366e8f1559_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 068b80e5db838244c82891366e8f1559_JaffaCakes118.com
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 068b80e5db838244c82891366e8f1559_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...