9b94e4843e6553e02eb72044fb5c8b06d2640415c5ea66e5f386d8055d23acc2

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

188e04f2bf4efe0d432023960235aaf3_JaffaCakes118.exe
Size

2.7MB
MD5

188e04f2bf4efe0d432023960235aaf3
SHA1

3608360fa20e3747407892f48cebb302bbfefd9b
SHA256

9b94e4843e6553e02eb72044fb5c8b06d2640415c5ea66e5f386d8055d23acc2
SHA512

343d2eccea055bf6638d32638d04aa2e41c69f0a962caa50fd3650608522f1fe32209414b92db784ef37aa5e5d5679442dc5085c8d38b2503aeee73282fbe06c
SSDEEP

49152:++fqu1p1m26k6SoVRfKKAQMuPlafm+tZP80Z9PHMhd6JTzGxyYILnYerXW2fzkiB:++f71p1B6k65pKbyafbtW0Z9UhcZYWJT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2732	sexyss40.exe_tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1412	188e04f2bf4efe0d432023960235aaf3_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Alyssa Milano Sex-E Screensaver Uninstaller.exe	188e04f2bf4efe0d432023960235aaf3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2732	sexyss40.exe_tmp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 2732	1412	188e04f2bf4efe0d432023960235aaf3_JaffaCakes118.exe	28
PID 1412 wrote to memory of 2732	1412	188e04f2bf4efe0d432023960235aaf3_JaffaCakes118.exe	28
PID 1412 wrote to memory of 2732	1412	188e04f2bf4efe0d432023960235aaf3_JaffaCakes118.exe	28
PID 1412 wrote to memory of 2732	1412	188e04f2bf4efe0d432023960235aaf3_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\188e04f2bf4efe0d432023960235aaf3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\188e04f2bf4efe0d432023960235aaf3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\inst259395857\installer\sexyss40.exe_tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\inst259395857\installer\sexyss40.exe_tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\inst259395857\installer\sexyss40.exe_tmp.exe

Filesize
2.0MB

MD5
9e38b54e530a228c560cae3ac6142b0a

SHA1
98be5c950fd564676ce09896283f8875074a7138

SHA256
d359945afcb0dfdf132a7a85190b8e7ca58515e63b1ab28218944f88afbc5dd0

SHA512
998ad49f640641b5af7a6bcc406e7861a2edf7ba08830280165732db969b94d3fa0affaf72be43ccbc196b4aa657555c3cdbcc96473a9749a3ca93c2fb9b7211

Download Submit