9a64117f2e2c9485cd3ed8ecb656b2f6953dad5da3120c72a75b6f47e0ed9582

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
23/06/2024, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
Size

702KB
MD5

0394186c7c72386cbdb20492e62c6500
SHA1

6bfa90ecbc280224c3fb49e90e04b1d4b055fe27
SHA256

9a64117f2e2c9485cd3ed8ecb656b2f6953dad5da3120c72a75b6f47e0ed9582
SHA512

e36519d8984e8b5e4699fee127582853e9ab11e0d169421f64cfcc9945569892246255afc78ef1431eb1498f0be79542ae96dbad9c6dad63afffcd11cde69117
SSDEEP

12288:GDQAF1KvlY3wFUHrjLGawM29tyDnJYJpYxTCCzOdFZ7miHGj8/SGl:GDQg1Kv6KUj8GnJKMCDv5miHjSI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2612	EPSTP32U.EXE

Loads dropped DLL 5 IoCs

pid	Process
2852	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
2612	EPSTP32U.EXE
2612	EPSTP32U.EXE
2612	EPSTP32U.EXE
2612	EPSTP32U.EXE

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\EPPRTDRV.CAB	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPSTP32U.EXE	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EPSETUP.CAB	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\EPSPTDVE.EXE	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EPPRTDRV.CAB	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\EPSMTL32.DLL	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\EPISPC98.EXE	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPINSTU.EXE	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPSTP32U.CAB	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EPSTP32U.CAB	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\EPINSTU.EXE	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\EPSPTDVE.EXE	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPSETUP.CAB	EPSTP32U.EXE
File created	C:\Windows\SysWOW64\EPSCMINS.DLL	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPSDIW64.EXE	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\eps_icon.avi	EPSTP32U.EXE
File created	C:\Windows\SysWOW64\eps_icon.avi	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPSCMINS.DLL	EPSTP32U.EXE
File created	C:\Windows\SysWOW64\EPISPC98.EXE	EPSTP32U.EXE
File created	C:\Windows\SysWOW64\EPSDIW64.EXE	EPSTP32U.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2612	EPSTP32U.EXE
2612	EPSTP32U.EXE
2612	EPSTP32U.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2612	EPSTP32U.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2612	2852	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe	28
PID 2852 wrote to memory of 2612	2852	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe	28
PID 2852 wrote to memory of 2612	2852	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe	28
PID 2852 wrote to memory of 2612	2852	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe	28
PID 2852 wrote to memory of 2612	2852	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe	28
PID 2852 wrote to memory of 2612	2852	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe	28
PID 2852 wrote to memory of 2612	2852	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\EPSTP32U.EXE
  "C:\Windows\system32\EPSTP32U.EXE" /y:"C:\Users\Admin\AppData\Local\Temp\0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Templates\EPSTPLOG.TXT

Filesize
689B

MD5
7dedead70b4ccbc3d41b14522983a71c

SHA1
0cf3764616f1ba1ee2d748999d427fbfea7c00e3

SHA256
7c779535d90c048e3b44fe6df50031214ee5ba2503c1ed4d07248dbb2f0cbee8

SHA512
d07b8b1bbeeb379a886577f633c317a8b9b879409c789a8de8c9c5b439a5d523eef4f0e34bcc8397a779f9ec783e4e69f82f334db102abbf385315aa22d1016f

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\EPSTPLOG.TXT

Filesize
3KB

MD5
3e9de36cb754b587786ccae9429624c1

SHA1
f770fa0151e8d7078bc3f9eba8fbd0b1dc415d90

SHA256
c0865d3e444a293484343c1d0a95b1790a57c5478c471adec29117a9ee140f47

SHA512
8e70b0e3bc7aa5bf71beff2f007809e85b6a21e85d5284abe62dabecd32bc45eb12068199c5d7e1381f6b25eac08ec20635bf2f37d9f25dba807e8c102aeccad

Download Submit
C:\Windows\SysWOW64\EPINSTU.EXE

Filesize
112KB

MD5
5df3b7a6b6f83861d41c847037c93118

SHA1
59705676710abefebec2bb6871a17ff05cf6702a

SHA256
411c8491eb1920e10e2c82d42144b69936a68d7e855b9bd81b70972ffac329f3

SHA512
82dec648b4b8e7e58e98c8516428cedd6fba7b779a265982e1ed5edd172cdae3c908887cfa23132ffe4c1d9ea1a3dd805f7a3183a06000752f0263fefee725fe

Download Submit
C:\Windows\SysWOW64\EPPRTDRV.CAB

Filesize
309KB

MD5
67a0b01c451056770898457eea2aad4e

SHA1
bbd62df0c276e335f241327283319406bca76165

SHA256
7263dbaee78e58c52bcecfb8575b56d3b8419b8ff840a5321c28ef8f05277ecb

SHA512
09a8ea990e42739bf777510efea580571156a613b1ab2e9b61e0c9831c366deede54e1edb37dae0d92960a9cec2629fec00d8387510f627ac4b799d4023be606

Download Submit
C:\Windows\SysWOW64\EPSETUP.CAB

Filesize
439KB

MD5
45699880ea5657b5b059421ebcfe1e9b

SHA1
483336527eb55fd6ec4799c0aa6ee64680546684

SHA256
61dae9e0810490e1e40571f47143b000b99199828f9282f672bbce72c4e35a91

SHA512
de291d917b2e66c3773c62df03631f7db6574cf1d0ab439484296a77c904bdff2e5a55636155667e144857a5be705c0c63910bfb35a7344c5842179fd4ab5190

Download Submit
C:\Windows\SysWOW64\EPSPTDVE.EXE

Filesize
404KB

MD5
9b4553d9f3cfe7b996599a4d1e3266c4

SHA1
f3e4fed90f1d3839ca356103e23eb134cc44aae0

SHA256
d228107a2ea127e6c5a941c7e95018de142481a38def891b4670d831f4fcde28

SHA512
6d97b15fc6be882b07c48bab71ef0333cd1e1dac85155de4cf8d85facd70be76fd8009c3b4737b56ef52bacebc4642ca16fb91a6df9a2fad9aa9ea660f5b43ce

Download Submit
C:\Windows\SysWOW64\eps_icon.avi

Filesize
8KB

MD5
67ebc1d5e2bab0c2d85406eb19cc85dd

SHA1
a6bae9685e79c77e7a9908ce053fe498fb2a6be3

SHA256
8eddab93591333f7e58e5d4e5597c12fbe220095b4ecfc6e4a5a591a464e7ac8

SHA512
6690ed68852272826d09544ea4716120fc117a560ce66a67e012f49a72e04706fc24129b10651404ba3f3cd118b74eeb1123a655856ab17bbaa4b2f585f47600

Download Submit
C:\Windows\SysWOW64\epsmtl32.dll

Filesize
436KB

MD5
74137d804726fedc903657e6865b7d54

SHA1
270316a43a5e4c2f725c3fd33acd8e762ce4d825

SHA256
3c1a632eed70e14225c2e96516f6d9201fd5da06a9fc8688a2aeb68e2ca09bef

SHA512
cf636a274fe8eb62345cfaf98038367be4a4111b8a9891abd90cc5b4c2e3889e650481639de9f11b3affe3db117b014876c7c5026989d592b4f8a8c0227c66bf

Download Submit
\Windows\SysWOW64\EPSTP32U.EXE

Filesize
888KB

MD5
eac0e672b5bd7ccbe55f8d38ab868453

SHA1
79e433f17b9e0662d36198887f370bee62559e47

SHA256
a5cb81fb252798c4090f46ffb040b223cd9dbf7b666c6979f7646869d1edf34c

SHA512
587ff1522b22eb12b32aa76bbe2746cc2c1b5651f812b8af60f1a089411987f95849c2e4e0061ba98c1c191bdbc1b41f7b89f4fb7406c2e20a01d2b7ace21c5b

Download Submit
memory/2852-0-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2852-122-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download