43f1bbe856fb94a4a5bdc346178397b7eac940fba19ad03aac42f6c250f20a6e

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe
Size

195KB
MD5

0d7322f6c3cae2864775f3f317b27ef0
SHA1

7ede8aa59f2d538863a2f41b5fd09d12c0b05c1d
SHA256

43f1bbe856fb94a4a5bdc346178397b7eac940fba19ad03aac42f6c250f20a6e
SHA512

e2846b10841799caa0523e6e847e8ac1ec84e0b1ec10ee61f5c8a481f203146bd4995523f98718992375c49034c2def29b98ff6b62f004563488e3d21426de83
SSDEEP

6144:1ubLs7W46heQw+zV2ubLs7W46heQw+zVl:1b7WJgQ/2b7WJgQ/l

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\TXPlatform.exe	0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\TXPlatform.exe	0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2956	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3028	TXPlatform.exe

Loads dropped DLL 2 IoCs

pid	Process
2400	0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe
2400	0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2400	0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe
2400	0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe
3028	TXPlatform.exe
3028	TXPlatform.exe
3028	TXPlatform.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2956	2400	0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe	28
PID 2400 wrote to memory of 2956	2400	0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe	28
PID 2400 wrote to memory of 2956	2400	0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe	28
PID 2400 wrote to memory of 2956	2400	0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe	28
PID 2400 wrote to memory of 3028	2400	0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe	30
PID 2400 wrote to memory of 3028	2400	0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe	30
PID 2400 wrote to memory of 3028	2400	0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe	30
PID 2400 wrote to memory of 3028	2400	0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d7322f6c3cae2864775f3f317b27ef0_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\94$$.bat
  2⤵
  - Deletes itself
  PID:2956
- C:\Windows\SysWOW64\drivers\TXPlatform.exe
  C:\Windows\system32\drivers\TXPlatform.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\94$$.bat

Filesize
569B

MD5
b799cfbcad90193286ddb595aa055724

SHA1
dc6e931c6bb15b045786e3fb40b83b5ab50b809b

SHA256
63bd2853a0c556ea4819482c5ac3d4af81df1384ea867b2b08f182d32ef3d7cd

SHA512
8db4f813fddbebb99331d2ac5d17f72298c597a00780346364823d3be3b0d5e60e24b61bf5dd14f333b8dd84e028fd73c27fdf2f009635a7aaad995e62679c42

Download Submit
C:\Windows\SysWOW64\drivers\TXPlatform.exe

Filesize
97KB

MD5
a3b002450c648f7ea37a9186d6b8f9e6

SHA1
7b05a54cbac5482e4df4c4e724aa990eed553e78

SHA256
432d271e3201a6e9ba48860e20c75f2df3c537fd4b0f745fabd2c8398c01bc79

SHA512
1a61e2ba6c4421496045bb68ef3d3583d31856a1b9276cc44a76b8e640b2aa2c8b6c47373782de88d142b3290e32207d21e07ffd9c2be88a823d6c3a0b50f356

Download Submit
memory/2400-0-0x0000000000400000-0x00000000004628A5-memory.dmp

Filesize
394KB

Download
memory/2400-1-0x0000000000400000-0x00000000004628A5-memory.dmp

Filesize
394KB

Download
memory/2400-2-0x0000000000400000-0x00000000004628A5-memory.dmp

Filesize
394KB

Download
memory/2400-13-0x0000000000401000-0x0000000000430000-memory.dmp

Filesize
188KB

Download
memory/2400-21-0x0000000000630000-0x0000000000693000-memory.dmp

Filesize
396KB

Download
memory/2400-20-0x0000000000630000-0x0000000000693000-memory.dmp

Filesize
396KB

Download
memory/2400-28-0x0000000000400000-0x00000000004628A5-memory.dmp

Filesize
394KB

Download
memory/3028-26-0x0000000000400000-0x00000000004628A5-memory.dmp

Filesize
394KB

Download
memory/3028-24-0x0000000000400000-0x00000000004628A5-memory.dmp

Filesize
394KB

Download
memory/3028-27-0x0000000000400000-0x00000000004628A5-memory.dmp

Filesize
394KB

Download