22d00cd4fc4a456a2bf9f39c268322bd214919daa2b2e7589560b4ea72123862

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 17:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ee381696f3cf1287dfe1b221cf8c8a8_JaffaCakes118.exe
Size

356KB
MD5

0ee381696f3cf1287dfe1b221cf8c8a8
SHA1

d19a5c3ab087c78dcc8ddb07bde9b082d49184e4
SHA256

22d00cd4fc4a456a2bf9f39c268322bd214919daa2b2e7589560b4ea72123862
SHA512

a675c762cb869fec648db3002ac0b9896b07db60f7bde57c0ef86e539b7df0de7c6cde53da96a9c722d485ec8ed17e4ac7e460fad2478ffc357883fb18299e0c
SSDEEP

3072:Pz/92a98YQ19SenvDteH0eYYQ19qROLz/9vwCZ63EkwVaiJ38yxb:PL9IR3vpelYRXL9dE3qauTb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4584	forqd348.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
520	0ee381696f3cf1287dfe1b221cf8c8a8_JaffaCakes118.exe
1108	0ee381696f3cf1287dfe1b221cf8c8a8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 1108	520	0ee381696f3cf1287dfe1b221cf8c8a8_JaffaCakes118.exe	83
PID 520 wrote to memory of 1108	520	0ee381696f3cf1287dfe1b221cf8c8a8_JaffaCakes118.exe	83
PID 520 wrote to memory of 1108	520	0ee381696f3cf1287dfe1b221cf8c8a8_JaffaCakes118.exe	83
PID 1108 wrote to memory of 4584	1108	0ee381696f3cf1287dfe1b221cf8c8a8_JaffaCakes118.exe	84
PID 1108 wrote to memory of 4584	1108	0ee381696f3cf1287dfe1b221cf8c8a8_JaffaCakes118.exe	84
PID 1108 wrote to memory of 4584	1108	0ee381696f3cf1287dfe1b221cf8c8a8_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\0ee381696f3cf1287dfe1b221cf8c8a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ee381696f3cf1287dfe1b221cf8c8a8_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:520
- C:\Users\Admin\AppData\Local\Temp\0ee381696f3cf1287dfe1b221cf8c8a8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0ee381696f3cf1287dfe1b221cf8c8a8_JaffaCakes118.exe" /SETUP
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\forqd348.exe
    "C:\Users\Admin\AppData\Local\Temp\forqd348.exe"
    3⤵
    - Executes dropped EXE
    PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\forqd348.exe

Filesize
65KB

MD5
91f1126e7cd47440c1afe00a6e3a1281

SHA1
d69e64152359f512d53dc8cb81421167c7bfeb7e

SHA256
8e0d5dadf9b95a775389d0b81d8f9d275a0202ec2464ddb1ef176d886ab60d1e

SHA512
7241e45ece174020b078b9f60033beafae009f4c3dc8c84481f2fc6edc8645a522efda1a9853110e111999e0700d910c7af813572ee14497f0cde622fc8aad71

Download Submit