8c78706712434ef38a1abb89ea7edcc0ad12d8c88a4a9b61e2a1d34274e69740

Analysis

max time kernel
133s
max time network
133s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07908f5b83dcf48bbda1cee4ae54cf57_JaffaCakes118.exe
Size

1.7MB
MD5

07908f5b83dcf48bbda1cee4ae54cf57
SHA1

6aad65a6b167fc7bcceebae90034ab6c60c63688
SHA256

8c78706712434ef38a1abb89ea7edcc0ad12d8c88a4a9b61e2a1d34274e69740
SHA512

34a260a5b018c9da9e11dd55bbb8d5391ed650d66471458c11ed1b16bdfb333459397dc8b3f8cadaa1f5969fd3581f8b1860bf2e9c718e8c2ddd5710f775a63b
SSDEEP

49152:8Pj2QIONkRkqRGZdcL2OZDZZiLy3NgqhHx1pS:8PEokRkGCIDZU+9tps

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2748	temp.exe
2272	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2420	07908f5b83dcf48bbda1cee4ae54cf57_JaffaCakes118.exe
2420	07908f5b83dcf48bbda1cee4ae54cf57_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	temp.exe
File opened for modification	C:\Windows\svchost.exe	temp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2420	07908f5b83dcf48bbda1cee4ae54cf57_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	temp.exe
Token: SeDebugPrivilege	2272	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2272	svchost.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2272	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2748	2420	07908f5b83dcf48bbda1cee4ae54cf57_JaffaCakes118.exe	28
PID 2420 wrote to memory of 2748	2420	07908f5b83dcf48bbda1cee4ae54cf57_JaffaCakes118.exe	28
PID 2420 wrote to memory of 2748	2420	07908f5b83dcf48bbda1cee4ae54cf57_JaffaCakes118.exe	28
PID 2420 wrote to memory of 2748	2420	07908f5b83dcf48bbda1cee4ae54cf57_JaffaCakes118.exe	28
PID 2748 wrote to memory of 2272	2748	temp.exe	29
PID 2748 wrote to memory of 2272	2748	temp.exe	29
PID 2748 wrote to memory of 2272	2748	temp.exe	29
PID 2748 wrote to memory of 2272	2748	temp.exe	29

C:\Users\Admin\AppData\Local\Temp\07908f5b83dcf48bbda1cee4ae54cf57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07908f5b83dcf48bbda1cee4ae54cf57_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\temp.exe
  "C:\Users\Admin\AppData\Local\Temp\temp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
294KB

MD5
c49032e7a16c19b04f64ba6696e0bdbb

SHA1
707521030fb93008c0bd7dfa17f0fe9f2c7ca12a

SHA256
ac5b3edf02198836521e2e94070348378aa0df712514708ea54f877158672103

SHA512
1ab37d9001b58a768e4a7363514ef18444bf45b972788ee2390f10d8bfe4d3c894f935811134dcba9f0df48777a6744fb83969d8bf46a2db03376c7eeda764d9

Download Submit
memory/2420-0-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2420-1-0x0000000001C00000-0x0000000001CE8000-memory.dmp

Filesize
928KB

Download
memory/2420-3-0x0000000010000000-0x0000000010300000-memory.dmp

Filesize
3.0MB

Download
memory/2420-2-0x0000000010001000-0x0000000010030000-memory.dmp

Filesize
188KB

Download
memory/2420-4-0x0000000010000000-0x0000000010300000-memory.dmp

Filesize
3.0MB

Download
memory/2420-5-0x0000000010000000-0x0000000010300000-memory.dmp

Filesize
3.0MB

Download
memory/2420-7-0x0000000010000000-0x0000000010300000-memory.dmp

Filesize
3.0MB

Download
memory/2420-17-0x0000000010000000-0x0000000010300000-memory.dmp

Filesize
3.0MB

Download
memory/2748-21-0x0000000000401000-0x00000000004A3000-memory.dmp

Filesize
648KB

Download