c2084b93e0d855568e20ef45b5118e092cd6578dcbff711872fe36bed0237dc0

Analysis

max time kernel
138s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 00:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b707785b9d45ea0f404e331d82bde31_JaffaCakes118.exe
Size

1.7MB
MD5

0b707785b9d45ea0f404e331d82bde31
SHA1

3fea4c9adf887f269329a64df7637ed13ba62a46
SHA256

c2084b93e0d855568e20ef45b5118e092cd6578dcbff711872fe36bed0237dc0
SHA512

027de2abdc7db1631caddf57f7e890ae60b230a48493701ea97cc5ae1e84dee33207f38ccdc20b7fdad890ed1b5a52c6234443215752dc4c50c5bebe176f2d0e
SSDEEP

49152:HKkETpP2iSqH6RLXAxkfWSqlMU8366K8vZMDPFSQj3PPGapJA:qkIFwLvOWU9tVAQyme

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2392	update.exe

Loads dropped DLL 5 IoCs

pid	Process
2080	0b707785b9d45ea0f404e331d82bde31_JaffaCakes118.exe
2392	update.exe
2392	update.exe
2392	update.exe
2392	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2392	update.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2392	2080	0b707785b9d45ea0f404e331d82bde31_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2392	2080	0b707785b9d45ea0f404e331d82bde31_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2392	2080	0b707785b9d45ea0f404e331d82bde31_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2392	2080	0b707785b9d45ea0f404e331d82bde31_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2392	2080	0b707785b9d45ea0f404e331d82bde31_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2392	2080	0b707785b9d45ea0f404e331d82bde31_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2392	2080	0b707785b9d45ea0f404e331d82bde31_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0b707785b9d45ea0f404e331d82bde31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b707785b9d45ea0f404e331d82bde31_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080
- C:\update\update.exe
  "C:\update\update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\update\MSVBVM60.DLL

Filesize
1.3MB

MD5
f40c65cba5ac3f6570d2c88aa2d3c68e

SHA1
c78f014d499755891f3e604285cb6dd6858cfb7e

SHA256
1b7f3f75584e1a2322981cf9e49c255fae244b2292fdb776ba0ead4f3d4a619e

SHA512
5add58159c5da6b800e941cc3ed75a009a499fe7b8a46ac3251bb3d61e24829e499bc930862ff6f5db4ae8f6412421802901db34f1ac0495e46787639fb9c25b

Download Submit
\update\update.exe

Filesize
96KB

MD5
67af344bef36acbbafd273a9358089d2

SHA1
1ecdc170214f87d205f7610092c66a672149485a

SHA256
2c2dadff5a2099b4733569ee76c65243c829ca86f72a7179906f5147811fe926

SHA512
a8a6aa2cef2762ce93162875fa3109db3179ea7f3785c0935fb0669d6edf489b8444206824ba635720e4b5699bf6e28cf5e1e2e8c079594e46da5a6fc0d0755a

Download Submit
memory/2080-99-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download