2387103da53a8e52093bac68243569c265e23129db6d874ee29c24c9d229698d

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe
Size

104KB
MD5

0cf3c2aee431475d75bc79d5ea323730
SHA1

313f4eb1ea98af681ada997d9f46c9ef41f6f31a
SHA256

2387103da53a8e52093bac68243569c265e23129db6d874ee29c24c9d229698d
SHA512

5f8b76dc9fa3d84a577499dc2e64e31b4c9460a6bc3f82be0c7efc652717135e1144584f207259e3ab609c902d28d276ff8e4a8c113e9e42826cf162bbd5eb5e
SSDEEP

1536:ngTJCNMiJ0dxUEy5beFI5sxyCNYwUch0IdTh8evcmmt0DH:n2JhCgPCR41hWevcmmt0DH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2876	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2052	gzpot.exe

Loads dropped DLL 2 IoCs

pid	Process
2932	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe
2932	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\gzpot.exe	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gzpot.exe	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\inf\xutrt.PNF	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\xutrt.PNF	gzpot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2052	gzpot.exe
2052	gzpot.exe
2052	gzpot.exe
2052	gzpot.exe
2052	gzpot.exe
2052	gzpot.exe
2052	gzpot.exe
2052	gzpot.exe
2052	gzpot.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2052	2932	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2052	2932	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2052	2932	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2052	2932	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2876	2932	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe	31
PID 2932 wrote to memory of 2876	2932	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe	31
PID 2932 wrote to memory of 2876	2932	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe	31
PID 2932 wrote to memory of 2876	2932	0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cf3c2aee431475d75bc79d5ea323730_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\gzpot.exe
  "C:\Windows\system32\gzpot.exe" -reg2
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\erase.bat" "
  2⤵
  - Deletes itself
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\erase.bat

Filesize
148B

MD5
04a37a3a32775fa4b62e55e52bac0ca9

SHA1
fce3ea97d1e2b4b87519bd0e80856fbfc46ed294

SHA256
77cbe4eda413ea401ad27d5fbdbe579a708c4ad8387c6fc8e87c7ab977d9051f

SHA512
b883e11435807099c941038bba08c50255e5e3a2cded743472ab419fc985eefbe45292d54f7c396e4c54127ae638ac5991b7a91e6602502eff30e929f341c2d5

Download Submit
C:\Windows\inf\xutrt.PNF

Filesize
104KB

MD5
c221afd057c1a1daf1f6fe9c58db8d3c

SHA1
ec8428b87fb3c22ee6f35a634f859af93086b232

SHA256
c9263be370d3053108ae32303fdd2131f7da63324cf42b5096046abb5f66997a

SHA512
140cdbd6f643136958b99aac6ae8e085537726d1ee8ef0fa5986cd26822ba35b68fc9933dc9031333ae332129f3ef621784405b344ec23658360ec69c647801b

Download Submit
\Windows\SysWOW64\gzpot.exe

Filesize
104KB

MD5
1617ec21d805c4875cb2db4c32395f18

SHA1
15093101b5883bf2a1f45ce6517b9f83d77c40db

SHA256
09f378cf5cb290e43aa33019166749e68c80f19189b48b695301952f3413dc72

SHA512
d803d8d9855db35774f81636040f2236f78984da0998ba6a98daac4f5878370cc97f6c4ffaf74badf5c988d36b3382f4f1a120f924d796e41b251c0fab208dee

Download Submit