91af479e5af127bd8d088cc719a11444f3a480f3f3d2c4a5d86e12d0b2fb1011

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 11:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe
Size

196KB
MD5

1b27d4a6def150c407e8e28ac36154f8
SHA1

2f6248c45b405b047ae46e83760c57f7a0ccc81a
SHA256

91af479e5af127bd8d088cc719a11444f3a480f3f3d2c4a5d86e12d0b2fb1011
SHA512

2509e06fc6ceab6d16832033c8c1aaeb881dc8e479fa1333bbb58b69776670dbde8dc922319628237951826b99408e87f44157c1074874a81210d2bc17dbc415
SSDEEP

6144:EdXdjM0xRNx+MtETRdZ7G6LGS0uXN+z2zClI:EdLRP+MGpG6CHI+zACK

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe
4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe
4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 3164	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	83
PID 4472 wrote to memory of 3164	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	83
PID 4472 wrote to memory of 3164	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	83
PID 4472 wrote to memory of 4908	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	92
PID 4472 wrote to memory of 4908	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	92
PID 4472 wrote to memory of 4908	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	92
PID 4472 wrote to memory of 4136	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	93
PID 4472 wrote to memory of 4136	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	93
PID 4472 wrote to memory of 4136	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	93
PID 4472 wrote to memory of 2380	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	94
PID 4472 wrote to memory of 2380	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	94
PID 4472 wrote to memory of 2380	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	94
PID 4472 wrote to memory of 1144	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	95
PID 4472 wrote to memory of 1144	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	95
PID 4472 wrote to memory of 1144	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	95
PID 4472 wrote to memory of 3564	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	96
PID 4472 wrote to memory of 3564	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	96
PID 4472 wrote to memory of 3564	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	96
PID 4472 wrote to memory of 2348	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	97
PID 4472 wrote to memory of 2348	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	97
PID 4472 wrote to memory of 2348	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	97
PID 4472 wrote to memory of 4044	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	98
PID 4472 wrote to memory of 4044	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	98
PID 4472 wrote to memory of 4044	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	98
PID 4472 wrote to memory of 1672	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	99
PID 4472 wrote to memory of 1672	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	99
PID 4472 wrote to memory of 1672	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	99
PID 4472 wrote to memory of 1400	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	101
PID 4472 wrote to memory of 1400	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	101
PID 4472 wrote to memory of 1400	4472	1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe	101

C:\Users\Admin\AppData\Local\Temp\1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b27d4a6def150c407e8e28ac36154f8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinDCC1.bat"
  2⤵
  PID:3164
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin4D75.vbs"
  2⤵
  PID:4908
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin4440.vbs"
  2⤵
  PID:4136
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinD74F.vbs"
  2⤵
  PID:2380
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin4D75.vbs"
  2⤵
  PID:1144
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin90C4.vbs"
  2⤵
  PID:3564
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tin61A9.vbs"
  2⤵
  PID:2348
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" /nologo "C:\Users\Admin\AppData\Local\Temp\_tinD74F.vbs"
  2⤵
  PID:4044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tin8316.bat"
  2⤵
  PID:1672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\_tinAF2D.bat"
  2⤵
  PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\549E63BB\Setup.exe

Filesize
15KB

MD5
8e6cc729e1d9dbb12a622e267d237d66

SHA1
b655b6a1ed803e01da97ff47f303f32f61677067

SHA256
4d705b1b36a27695efe32d292652ecabb5265d7c0506fcc12cb3132b10e8cf45

SHA512
88fda1bcd7da173377583412edeb4b41ae8a03c5865817464747cb346165300037b7e1d453259feb5f88d6a75c5185d2561501e6d36ed6e5972867926826fb41

Download Submit
C:\Users\Admin\AppData\Local\Temp\549E63BB\Setup.ico

Filesize
4KB

MD5
c3926cef276c0940dadbc8142153cec9

SHA1
f8b350d2b7158f5ab147938961439860d77b9cb4

SHA256
0ec48e3c1886bc0169a4bc262f012e9b7914e3b440bb0ecc4d8123924abc9b93

SHA512
5b9958095b8a7b39b3a2226a5242faec8d2d799d10e1e4ed6dbfb8aaebe51b7496cf4bb5ad588366a296671df3ba46a3f42860abc7f9501b4cc5efd55dd87904

Download Submit
C:\Users\Admin\AppData\Local\Temp\549E63BB\_Setup.dll

Filesize
63KB

MD5
f7e4b2e5bbc049837572380b7e9d2852

SHA1
741c77dfb4dab659821f0e3d3b400ff91f85e1a6

SHA256
2c7223e655032306dc6ca8c320b71501c200b1cb727b6b8e19a5beef19cb7b0a

SHA512
1851020c05d9febc9c2911782a89e2d364e5802f290c3a1526a2313262649c436160e18a98d8a45dff163f259c9adc494582082f83e7cbc785f6c074a4cfbcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\549E63BB\_Setupx.dll

Filesize
16KB

MD5
a3e3a7c55dac05898f398f0ef4ef16fd

SHA1
2245eebc8ef1d3c1ae7f395ce168b0a93fb0f016

SHA256
25e262cf0f72f8e8bcd0bc6f4cabcd8dcf397ac027cce46ce8ac19511afabffe

SHA512
e7d8e21b6f40caccf519ba27895c09ae07ade7c82982265c249228ed0bd18179b6e25dedf2596e6be60db782d80cfeb014c43c5d25757c156d54fd5ae4193d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tsu-1178.dll

Filesize
245KB

MD5
b108889302e8b55cf9ccf20cd6410957

SHA1
0996e075524e6ff1b6cd6e1a8bcb37dfa6690b03

SHA256
14e326cf45273d252eedd569d271dace54ed6241719ff8fda006e46de768b200

SHA512
205e532b56fc00c5b41df67af1ca442f97991f18f4fc5af165f22962459995000af90df70d6aabf030b25c1a85ab45a06ceff59f329fb9d46965c07b81e2e5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin4440.vbs

Filesize
1KB

MD5
087f9fbe8e8b3f0a9f0e8ee4e5eb4b8c

SHA1
0c2848abf95570e28438ae29344d8ce88cbcc189

SHA256
bed62940346afa13085cc49b47693d0357dcf81fb7198d1ad2b3075c3fb210ed

SHA512
bd6448eb43307b6c5314d0449dc022efd1e2434d76447efb7e48af4b9f4e37614c81beee6f340a0790e266d15f3d7071e874a764b974c709ce15b20f92226a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin4D75.vbs

Filesize
304B

MD5
9b66a448daabb9fc5b49316079ccef89

SHA1
21b5614a5eacb1dab529e17069dfbf05477c6638

SHA256
6e1c6b812be3fd584721241c27a7d4c81b8823965c1f235318f77dbe0f8fe4bf

SHA512
a5f121073883b78e4330bb493f77d891043c55635e258f2834436a9cea175932c9166d7f1332caf39ea4f9a21302153397942af65aa923f502abf12f538d18ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin61A9.vbs

Filesize
819B

MD5
7db9ef78d8c5d84a9cb230663ba6b2f4

SHA1
3ce18e195696cf9095bc7e148d5cfb30923024a6

SHA256
3d67f73affc59bbc10fdb71bb66d272ac076097aa7430ca17b4b4c581d79a65e

SHA512
c99fd3da993f304267d548161aa7a7bf6d5af9be50d32c197be7ea4134c64674f1abe5e1e0724142bc0dbccfd206f4b48b3049519e85cc032eb67e85a285ad61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin8316.bat

Filesize
50B

MD5
e0071d1f945071cf54044d0bb94f3ddb

SHA1
de4bf137e7a802ea737dcfc82a474eb2f1d299ce

SHA256
94ca6f261a5efa2e5ddeed18e321bed0e8b083a453312317da3314cbc4bcefdb

SHA512
b900e5046e3eccc406b90081f7f12ec164a89ba4da4a3fc75cd22491132741c604800f5a210cc9316fafe221f5872d2fb15f226e47748382bff072141fecd076

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tin90C4.vbs

Filesize
419B

MD5
58f82b9f5ba27c5827faa8a194bd81fc

SHA1
ea76d837ae836b95d230c9a234c58e68b3799847

SHA256
82169002a4e56ac6c8bc269f57c5c1b25202ccb3549a858456f6b26ee5065e9d

SHA512
c2469d097aa3f456e14f314f135934d4b5882110ea08e3c7ec88029de7c3a64b2e532d19434d94f90d6b782a7db7a00a5e36ce240622472a9b0193e7bdecba61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinAF2D.bat

Filesize
46B

MD5
0ea5a71028ba7791e4c3b232b8c34697

SHA1
e10dd1c3d33ec3aa1646f627d635173807248b7f

SHA256
097a5647bb9a0855bec5886fe54ddb09b367d83ceb49c2952121f577027d5c45

SHA512
b4abd62a41f8d002412a385d73326887dd25db1b658ea24ec2a5bf2f363d96d094ee1f814f5591f0994e83a1a12a34ac97a724d320922f55310c0c9347f347d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinD74F.vbs

Filesize
2KB

MD5
9e7c767d6a19b7d667dc5d49c7cf793a

SHA1
63c82a640f006f0aaad391624037afb943a7da60

SHA256
cc153f8b16eea07192d9d5c35a85cc4a096a58df25c054ef6c895029f4ceacb6

SHA512
49a79e03137b8bdf88c561e9ab120bd295fe2fbb317ca9fbbf43fbe93042ad34fbe77d87b8236bae1fa8bc92133eed0a933b88088e35f1e3cd3978b54bf52a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\_tinDCC1.bat

Filesize
44B

MD5
bce373ea8ee55cef27625aa96ffd3224

SHA1
2ea5acc2b9bb242cbeb5a166abe1c8e035579c5e

SHA256
8eab493a37aeef8725f487c664279657623baa995d82d11547544bb0f13d1296

SHA512
5733b736ed2cfcf298371a1d558737db380631d2f6b9147add4b85cbca08bfb32373875e35831aa94e71adf7b00909b8531df8f68115d9dc925cb3d9019177e6

Download Submit