5c1a710628ea2be30907df9a6f25c672c2fe683d6ee1930a829061afe7fc877c

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe
Size

104KB
MD5

188948ddb492aadfe9ff4180f2b9554c
SHA1

ea779e28591ee9a07b86cb4b6a0b736f7ff79e3a
SHA256

5c1a710628ea2be30907df9a6f25c672c2fe683d6ee1930a829061afe7fc877c
SHA512

3117e2ac507c4d41f6e4499813915f9ef76c1a0abb19a27b1a013894b0e2b6967a50a5440c7404468f1c44a61356a5803052725c22a1adb6b0bded03691158d9
SSDEEP

1536:ngTJCNMiJ0dxUEy5beFI5sxyCNYwUch0IdTh8evcmmt0Dm:n2JhCgPCR41hWevcmmt0Dm

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2628	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2612	npnds.exe

Loads dropped DLL 2 IoCs

pid	Process
2140	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe
2140	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\npnds.exe	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\npnds.exe	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\inf\xutrt.PNF	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\xutrt.PNF	npnds.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe
2612	npnds.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2612	2140	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2612	2140	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2612	2140	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2612	2140	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2628	2140	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe	32
PID 2140 wrote to memory of 2628	2140	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe	32
PID 2140 wrote to memory of 2628	2140	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe	32
PID 2140 wrote to memory of 2628	2140	188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe	32
PID 2612 wrote to memory of 1096	2612	npnds.exe	19
PID 2612 wrote to memory of 1096	2612	npnds.exe	19
PID 2612 wrote to memory of 1176	2612	npnds.exe	21
PID 2612 wrote to memory of 1176	2612	npnds.exe	21
PID 2612 wrote to memory of 1096	2612	npnds.exe	19
PID 2612 wrote to memory of 1096	2612	npnds.exe	19
PID 2612 wrote to memory of 1176	2612	npnds.exe	21
PID 2612 wrote to memory of 1176	2612	npnds.exe	21
PID 2612 wrote to memory of 1044	2612	npnds.exe	17
PID 2612 wrote to memory of 1044	2612	npnds.exe	17
PID 2612 wrote to memory of 1176	2612	npnds.exe	21
PID 2612 wrote to memory of 1176	2612	npnds.exe	21
PID 2612 wrote to memory of 1096	2612	npnds.exe	19
PID 2612 wrote to memory of 1096	2612	npnds.exe	19

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1044

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\188948ddb492aadfe9ff4180f2b9554c_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\npnds.exe
    "C:\Windows\system32\npnds.exe" -reg2
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\erase.bat" "
    3⤵
    - Deletes itself
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\erase.bat

Filesize
148B

MD5
f2304cf9b8a7809ead7111dd07c2afbd

SHA1
b1842949b4e4a98e0e164dd3bf115eef0ccb536e

SHA256
e4e8d8a8464fcb22079616e46090efa40253fdcd52899ee7c0dc632733a5a0e6

SHA512
dc2056a85f6dc3a4cfa5dab2360b079268628a85611b6753751b68cfd6cca121d2091ab0dc646a51166730debf4f40e941087e70e275c758a805122611973025

Download Submit
C:\Windows\inf\xutrt.PNF

Filesize
104KB

MD5
a845d5644ec1c2bebd083834d5f112c7

SHA1
fa484258d445665404b2e0bed2386ac1ee6f5c9b

SHA256
da2059176a903434efa1f894d9e8ecb1b89bb7743d26f7347056f5e158700c06

SHA512
0f1798da38321d88cdced21091bf2d59671102c01dc6d8a8aff80fdaa60efc97f9354f52feb7694683daee41095098ab1634c9ddd05577217d09774b2299ba40

Download Submit
\Windows\SysWOW64\npnds.exe

Filesize
104KB

MD5
b9853ace0c3ca2fcfc155b253150bbc1

SHA1
8dbf9a6ef6ad0640d83a9f66c4b7bd271d704da0

SHA256
327976891e85370a76651ef8159114a2745cc33a1f173b18c645459b198f058e

SHA512
e57dd55adfc51b87eae47df19abc68fbf5c20feae273f1b7eb033349b7e6a2503792e1ccc8a4478ca879f6a9b841a02e1152b74e19f164f86eb3c629eefaf404

Download Submit
memory/1096-24-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/1096-25-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/1096-32-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/1096-46-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/1176-28-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1176-42-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download