cb96be85ed40cd0161cb7edd78f8e15268b3e540e3d6ac8d62e62f1684d44441

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b55e38e943d18814c2292de7ed41e14_JaffaCakes118.exe
Size

24KB
MD5

1b55e38e943d18814c2292de7ed41e14
SHA1

e6ecc0950f9ccaca200c003e4b7f2cc35e6f8021
SHA256

cb96be85ed40cd0161cb7edd78f8e15268b3e540e3d6ac8d62e62f1684d44441
SHA512

12f270f5609d74ac091a55f9e70f8013ee6264ec5d99d2dfc82a0954c9eca1fdde9f153ad4d6bbedde4b3a9bd9eb1611abdb882e0711178ac5a05b75bc972cba
SSDEEP

96:/lxXRkZmIZVu+6/jEo01+cEIvijolPyUan/8FZsKEzLCyr0pRxEVG04sDr44TwIa:/ThlIZ89VN4Ty/nHf0x2G0NDr4RIT

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	1b55e38e943d18814c2292de7ed41e14_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2156	1b55e38e943d18814c2292de7ed41e14_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2064	2156	1b55e38e943d18814c2292de7ed41e14_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2064	2156	1b55e38e943d18814c2292de7ed41e14_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2064	2156	1b55e38e943d18814c2292de7ed41e14_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2064	2156	1b55e38e943d18814c2292de7ed41e14_JaffaCakes118.exe	28
PID 2064 wrote to memory of 2352	2064	cmd.exe	30
PID 2064 wrote to memory of 2352	2064	cmd.exe	30
PID 2064 wrote to memory of 2352	2064	cmd.exe	30
PID 2064 wrote to memory of 2352	2064	cmd.exe	30
PID 2156 wrote to memory of 2656	2156	1b55e38e943d18814c2292de7ed41e14_JaffaCakes118.exe	31
PID 2156 wrote to memory of 2656	2156	1b55e38e943d18814c2292de7ed41e14_JaffaCakes118.exe	31
PID 2156 wrote to memory of 2656	2156	1b55e38e943d18814c2292de7ed41e14_JaffaCakes118.exe	31
PID 2156 wrote to memory of 2656	2156	1b55e38e943d18814c2292de7ed41e14_JaffaCakes118.exe	31
PID 2656 wrote to memory of 2788	2656	cmd.exe	33
PID 2656 wrote to memory of 2788	2656	cmd.exe	33
PID 2656 wrote to memory of 2788	2656	cmd.exe	33
PID 2656 wrote to memory of 2788	2656	cmd.exe	33

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2352	attrib.exe
2788	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1b55e38e943d18814c2292de7ed41e14_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b55e38e943d18814c2292de7ed41e14_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SE.bat" 0"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r C:\Windows\system32\drivers\etc\hosts
    3⤵
    - Views/modifies file attributes
    PID:2352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SL.bat" 0"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r C:\Windows\system32\drivers\etc\hosts
    3⤵
    - Views/modifies file attributes
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SE.bat

Filesize
49B

MD5
d013cc282f8c7dd36aa46b9db97f14ca

SHA1
1d6d23a62127302e4a6409aaa45902186bccf552

SHA256
46eec18440b6879e3271fb55049330c6c33a89131a0d4bd57631e4633d1d59d0

SHA512
c171985b9aa7dcb19590e5c40c4512a02776afb67abfc1b984112a5ce6e3a0ad6db61ea3851dbf2b6f5f0ad0495b4b9c33015bfc68a9bb16b46c40c6363705e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SL.bat

Filesize
49B

MD5
e271e0a233b644da15be208de2a9aae1

SHA1
732d068d81bcdf50709be42245264e3c0b7670e8

SHA256
19951fc879d9c1ca5b53d0451539ec2e5bbdaa6cc3dada46194aded4cc1b8054

SHA512
edc34083fadcdc9d1b78696b60faa40f75ef7f0f53ee1cd523b87005267f217d00171a13ae9308c42efdaf19e90c1d6526342ceb9a4dedefeeb0d59f2b5f0473

Download Submit