9a64117f2e2c9485cd3ed8ecb656b2f6953dad5da3120c72a75b6f47e0ed9582

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23/06/2024, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
Size

702KB
MD5

0394186c7c72386cbdb20492e62c6500
SHA1

6bfa90ecbc280224c3fb49e90e04b1d4b055fe27
SHA256

9a64117f2e2c9485cd3ed8ecb656b2f6953dad5da3120c72a75b6f47e0ed9582
SHA512

e36519d8984e8b5e4699fee127582853e9ab11e0d169421f64cfcc9945569892246255afc78ef1431eb1498f0be79542ae96dbad9c6dad63afffcd11cde69117
SSDEEP

12288:GDQAF1KvlY3wFUHrjLGawM29tyDnJYJpYxTCCzOdFZ7miHGj8/SGl:GDQg1Kv6KUj8GnJKMCDv5miHjSI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2484	EPSTP32U.EXE

Loads dropped DLL 1 IoCs

pid	Process
2484	EPSTP32U.EXE

Drops file in System32 directory 28 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\EPSTP32U.CAB	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\EPINSTU.EXE	EPSTP32U.EXE
File created	C:\Windows\SysWOW64\EPPRTDRV.CAB	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EPINSTU.EXE	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPPRTDRV.CAB	EPSTP32U.EXE
File created	C:\Windows\SysWOW64\EPSPTDV.DLL	EPSTP32U.EXE
File created	C:\Windows\SysWOW64\EPSTHK32.DLL	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPINSTU.EXE	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eps_icon.avi	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPSPTDVE.EXE	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPISPC98.EXE	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPSPTDV.DLL	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPSETUP.CAB	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPSTHK32.DLL	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPSCMINS.DLL	EPSTP32U.EXE
File created	C:\Windows\SysWOW64\EPSCMINS.DLL	EPSTP32U.EXE
File created	C:\Windows\SysWOW64\EPSDIW64.EXE	EPSTP32U.EXE
File created	C:\Windows\SysWOW64\EPSTHKUT.DLL	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPSTHKUT.DLL	EPSTP32U.EXE
File created	C:\Windows\SysWOW64\EPSPTDVE.EXE	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPSDIW64.EXE	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\EPSTP32U.CAB	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\EPSTP32U.EXE	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EPSETUP.CAB	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\EPSPTDVE.EXE	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\EPSMTL32.DLL	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EPISPC98.EXE	EPSTP32U.EXE
File opened for modification	C:\Windows\SysWOW64\eps_icon.avi	EPSTP32U.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2484	EPSTP32U.EXE
2484	EPSTP32U.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2484	EPSTP32U.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2484	2620	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe	91
PID 2620 wrote to memory of 2484	2620	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe	91
PID 2620 wrote to memory of 2484	2620	0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\EPSTP32U.EXE
  "C:\Windows\system32\EPSTP32U.EXE" /y:"C:\Users\Admin\AppData\Local\Temp\0394186c7c72386cbdb20492e62c6500_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Templates\EPSTPLOG.TXT

Filesize
3KB

MD5
a7edd7812ddc40ae1c213def66681225

SHA1
5ddc1a9a906d18de27eba55668ffdc093e16a46a

SHA256
571a8ffe328949e50dde72e5d638a62311822f962daf112ed5c5e91b48fcb5bb

SHA512
4e142f04773f8d90019975bab973760bd72f9b194ed0b809309651bb5742e0c3ac2acef93c66400d4c81688ee104d6ce3d2f1197a8badaa11ce19fc27655767c

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\EPSTPLOG.TXT

Filesize
689B

MD5
c88c46d0516acbdc0ac5fa1d38717904

SHA1
4aa10e407705cf842af426aa42959f17fdf95c6f

SHA256
10745d7066d0881519112ecf4f743b6e9ffbd2ef50f69813bfe993929e1fb24a

SHA512
db36705b490e073856aa345a7cce257a3b1cb69027ccf824bdb5083685c765837b7514549d2c153183a7849d3416dd091d9b46d2a0a0553b8875df7ac7613cf9

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\EPSTPLOG.TXT

Filesize
2KB

MD5
baae8837643a6776be1bb8ffecd78492

SHA1
06ca67a366da52f2be5a9dc1363a4c2c4d4b92b9

SHA256
a58d16b690edddfbb37cc1fd7683677619e4439c7e278878412235a3a31b3d62

SHA512
a07847c2d45de1e73f1d777923433341d3f51220164bb41b93f495e3976316681552bc1d128cee1451f64648465e69b9b484d04d881a4bc6e539fb99b5e69790

Download Submit
C:\Windows\SysWOW64\EPINSTU.EXE

Filesize
112KB

MD5
5df3b7a6b6f83861d41c847037c93118

SHA1
59705676710abefebec2bb6871a17ff05cf6702a

SHA256
411c8491eb1920e10e2c82d42144b69936a68d7e855b9bd81b70972ffac329f3

SHA512
82dec648b4b8e7e58e98c8516428cedd6fba7b779a265982e1ed5edd172cdae3c908887cfa23132ffe4c1d9ea1a3dd805f7a3183a06000752f0263fefee725fe

Download Submit
C:\Windows\SysWOW64\EPPRTDRV.CAB

Filesize
309KB

MD5
67a0b01c451056770898457eea2aad4e

SHA1
bbd62df0c276e335f241327283319406bca76165

SHA256
7263dbaee78e58c52bcecfb8575b56d3b8419b8ff840a5321c28ef8f05277ecb

SHA512
09a8ea990e42739bf777510efea580571156a613b1ab2e9b61e0c9831c366deede54e1edb37dae0d92960a9cec2629fec00d8387510f627ac4b799d4023be606

Download Submit
C:\Windows\SysWOW64\EPSETUP.CAB

Filesize
439KB

MD5
45699880ea5657b5b059421ebcfe1e9b

SHA1
483336527eb55fd6ec4799c0aa6ee64680546684

SHA256
61dae9e0810490e1e40571f47143b000b99199828f9282f672bbce72c4e35a91

SHA512
de291d917b2e66c3773c62df03631f7db6574cf1d0ab439484296a77c904bdff2e5a55636155667e144857a5be705c0c63910bfb35a7344c5842179fd4ab5190

Download Submit
C:\Windows\SysWOW64\EPSPTDVE.EXE

Filesize
404KB

MD5
9b4553d9f3cfe7b996599a4d1e3266c4

SHA1
f3e4fed90f1d3839ca356103e23eb134cc44aae0

SHA256
d228107a2ea127e6c5a941c7e95018de142481a38def891b4670d831f4fcde28

SHA512
6d97b15fc6be882b07c48bab71ef0333cd1e1dac85155de4cf8d85facd70be76fd8009c3b4737b56ef52bacebc4642ca16fb91a6df9a2fad9aa9ea660f5b43ce

Download Submit
C:\Windows\SysWOW64\EPSTP32U.EXE

Filesize
888KB

MD5
eac0e672b5bd7ccbe55f8d38ab868453

SHA1
79e433f17b9e0662d36198887f370bee62559e47

SHA256
a5cb81fb252798c4090f46ffb040b223cd9dbf7b666c6979f7646869d1edf34c

SHA512
587ff1522b22eb12b32aa76bbe2746cc2c1b5651f812b8af60f1a089411987f95849c2e4e0061ba98c1c191bdbc1b41f7b89f4fb7406c2e20a01d2b7ace21c5b

Download Submit
C:\Windows\SysWOW64\eps_icon.avi

Filesize
8KB

MD5
67ebc1d5e2bab0c2d85406eb19cc85dd

SHA1
a6bae9685e79c77e7a9908ce053fe498fb2a6be3

SHA256
8eddab93591333f7e58e5d4e5597c12fbe220095b4ecfc6e4a5a591a464e7ac8

SHA512
6690ed68852272826d09544ea4716120fc117a560ce66a67e012f49a72e04706fc24129b10651404ba3f3cd118b74eeb1123a655856ab17bbaa4b2f585f47600

Download Submit
C:\Windows\SysWOW64\epsmtl32.dll

Filesize
436KB

MD5
74137d804726fedc903657e6865b7d54

SHA1
270316a43a5e4c2f725c3fd33acd8e762ce4d825

SHA256
3c1a632eed70e14225c2e96516f6d9201fd5da06a9fc8688a2aeb68e2ca09bef

SHA512
cf636a274fe8eb62345cfaf98038367be4a4111b8a9891abd90cc5b4c2e3889e650481639de9f11b3affe3db117b014876c7c5026989d592b4f8a8c0227c66bf

Download Submit
memory/2620-0-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2620-152-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download