06f90aa98b5cd6405519dcbcd53fb181607aed47c5af65267604c778a43118f6

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19af6e9f9e2cf22df752cc440f65ff9e_JaffaCakes118.exe
Size

360KB
MD5

19af6e9f9e2cf22df752cc440f65ff9e
SHA1

866bc0471a1c4777c50f9a6badf2b2c1e6ed51da
SHA256

06f90aa98b5cd6405519dcbcd53fb181607aed47c5af65267604c778a43118f6
SHA512

d0d70c9dbe63583bac2cae34de6044a676a40732e4172e23ce03eee2a3c12adbfd38c4d68670e58118928f075fb4592a17a6fc79ed5c05f625072a7cbd69c549
SSDEEP

6144:j12BxaCtRGWwShGVzkmIVIKhwqxeYdxGcN4jAtnJxT+CAwdnaZlUEB:8LlE7IVIKWqzzDBxPy

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2932	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2756	gfsmqkasp.exe

Loads dropped DLL 3 IoCs

pid	Process
2932	cmd.exe
2932	cmd.exe
2756	gfsmqkasp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2176	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2592	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe
2756	gfsmqkasp.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2932	2016	19af6e9f9e2cf22df752cc440f65ff9e_JaffaCakes118.exe	28
PID 2016 wrote to memory of 2932	2016	19af6e9f9e2cf22df752cc440f65ff9e_JaffaCakes118.exe	28
PID 2016 wrote to memory of 2932	2016	19af6e9f9e2cf22df752cc440f65ff9e_JaffaCakes118.exe	28
PID 2016 wrote to memory of 2932	2016	19af6e9f9e2cf22df752cc440f65ff9e_JaffaCakes118.exe	28
PID 2932 wrote to memory of 2176	2932	cmd.exe	30
PID 2932 wrote to memory of 2176	2932	cmd.exe	30
PID 2932 wrote to memory of 2176	2932	cmd.exe	30
PID 2932 wrote to memory of 2176	2932	cmd.exe	30
PID 2932 wrote to memory of 2592	2932	cmd.exe	32
PID 2932 wrote to memory of 2592	2932	cmd.exe	32
PID 2932 wrote to memory of 2592	2932	cmd.exe	32
PID 2932 wrote to memory of 2592	2932	cmd.exe	32
PID 2932 wrote to memory of 2756	2932	cmd.exe	33
PID 2932 wrote to memory of 2756	2932	cmd.exe	33
PID 2932 wrote to memory of 2756	2932	cmd.exe	33
PID 2932 wrote to memory of 2756	2932	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\19af6e9f9e2cf22df752cc440f65ff9e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19af6e9f9e2cf22df752cc440f65ff9e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2016 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\19af6e9f9e2cf22df752cc440f65ff9e_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\GFSMQK~1.EXE -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 2016
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:2592
- - C:\Users\Admin\AppData\Local\gfsmqkasp.exe
    C:\Users\Admin\AppData\Local\GFSMQK~1.EXE -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\gfsmqkasp.exe

Filesize
360KB

MD5
19af6e9f9e2cf22df752cc440f65ff9e

SHA1
866bc0471a1c4777c50f9a6badf2b2c1e6ed51da

SHA256
06f90aa98b5cd6405519dcbcd53fb181607aed47c5af65267604c778a43118f6

SHA512
d0d70c9dbe63583bac2cae34de6044a676a40732e4172e23ce03eee2a3c12adbfd38c4d68670e58118928f075fb4592a17a6fc79ed5c05f625072a7cbd69c549

Download Submit
memory/2016-0-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2016-1-0x0000000001000000-0x00000000010C5000-memory.dmp

Filesize
788KB

Download
memory/2016-4-0x0000000001000000-0x00000000010C5000-memory.dmp

Filesize
788KB

Download
memory/2756-10-0x0000000001000000-0x00000000010C5000-memory.dmp

Filesize
788KB

Download
memory/2756-11-0x0000000001000000-0x00000000010C5000-memory.dmp

Filesize
788KB

Download
memory/2756-12-0x0000000001000000-0x00000000010C5000-memory.dmp

Filesize
788KB

Download
memory/2756-13-0x0000000001000000-0x00000000010C5000-memory.dmp

Filesize
788KB

Download
memory/2756-14-0x0000000001000000-0x00000000010C5000-memory.dmp

Filesize
788KB

Download
memory/2756-15-0x0000000001000000-0x00000000010C5000-memory.dmp

Filesize
788KB

Download
memory/2756-16-0x0000000001000000-0x00000000010C5000-memory.dmp

Filesize
788KB

Download
memory/2756-17-0x0000000001000000-0x00000000010C5000-memory.dmp

Filesize
788KB

Download