cf7630634f72de7cfb1a06c4a1fb4a668b31ca2135706c5aed7d8d23103d0560

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ad63b3b2f0f902e5900fa8bca2bc55c_JaffaCakes118.exe
Size

717KB
MD5

0ad63b3b2f0f902e5900fa8bca2bc55c
SHA1

23bbe530415f7be57c309cb16e83718df5faa439
SHA256

cf7630634f72de7cfb1a06c4a1fb4a668b31ca2135706c5aed7d8d23103d0560
SHA512

1c039428b47e3a29d63764de61cf5882ee3294ecc895d5192e604cdd416c4df397ddac37445e05a9bdf6379b5f4fea25bc1a64f4f60307183cf9b0938a4726fe
SSDEEP

12288:h81Ed0hYcVhGuo0p7HXDGbMHKWv+IQ0YNzzQZMiGDfur9DOUXINRFR7bFpskqrK:h81EdVcVcuHoWP8h8+iGD0JO9lFpQrK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1144	update.exe

Loads dropped DLL 1 IoCs

pid	Process
1284	0ad63b3b2f0f902e5900fa8bca2bc55c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1144	1284	0ad63b3b2f0f902e5900fa8bca2bc55c_JaffaCakes118.exe	28
PID 1284 wrote to memory of 1144	1284	0ad63b3b2f0f902e5900fa8bca2bc55c_JaffaCakes118.exe	28
PID 1284 wrote to memory of 1144	1284	0ad63b3b2f0f902e5900fa8bca2bc55c_JaffaCakes118.exe	28
PID 1284 wrote to memory of 1144	1284	0ad63b3b2f0f902e5900fa8bca2bc55c_JaffaCakes118.exe	28
PID 1284 wrote to memory of 1144	1284	0ad63b3b2f0f902e5900fa8bca2bc55c_JaffaCakes118.exe	28
PID 1284 wrote to memory of 1144	1284	0ad63b3b2f0f902e5900fa8bca2bc55c_JaffaCakes118.exe	28
PID 1284 wrote to memory of 1144	1284	0ad63b3b2f0f902e5900fa8bca2bc55c_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0ad63b3b2f0f902e5900fa8bca2bc55c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ad63b3b2f0f902e5900fa8bca2bc55c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe"
  2⤵
  - Executes dropped EXE
  PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe

Filesize
5.3MB

MD5
348d13918be7adc990a31e4e53f17e84

SHA1
3d96db22e8c7bb1d63454fc3c1875677324513f1

SHA256
866b37989c5f0f25d525abfbf9fa1a8daea807ac6e52599dd6e0a86afe6c9cbc

SHA512
d18ef521c7997d7ba9e60e480b97a25ea6d9837ff158760ddb7b6d9998723c6b1a56f457a7d284c416dde57125fc49275bf7d74e2186c005ff7f4a6f0536d25d

Download Submit
memory/1144-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1144-8-0x0000000000400000-0x0000000000952000-memory.dmp

Filesize
5.3MB

Download
memory/1144-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download