a6e0ce289db711413ba5395a80e50a0ed95c3927448492d3ecde38506227c571

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe
Size

2.0MB
MD5

1f9b619074e3ef7c19b296330e290dde
SHA1

8342d1aa1cef5d5d10ee68a4dfcca4de12599502
SHA256

a6e0ce289db711413ba5395a80e50a0ed95c3927448492d3ecde38506227c571
SHA512

3ae7ef2c3181b44816e0cb7186b113c8e99d97e06a56d7b4babf283cdc342f18273e39c66912c41bdbbabc62303bb8bb998cee9db0234847a521df46ae6784c6
SSDEEP

49152:DKqoP5uG7LG6sjWmlwsg7IklBKZICcDIGXQvh9zK4tMy+iZKnkJeYuFEb:DQP5uGvC9bg7DlBqICchX8W1iZgkJLuo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1600	f193n15598i0567.exe
3064	13tu7hiem9f2421.exe

Loads dropped DLL 3 IoCs

pid	Process
2088	1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe
1600	f193n15598i0567.exe
1600	f193n15598i0567.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3064	13tu7hiem9f2421.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1600	2088	1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe	28
PID 2088 wrote to memory of 1600	2088	1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe	28
PID 2088 wrote to memory of 1600	2088	1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe	28
PID 2088 wrote to memory of 1600	2088	1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe	28
PID 2088 wrote to memory of 1600	2088	1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe	28
PID 2088 wrote to memory of 1600	2088	1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe	28
PID 2088 wrote to memory of 1600	2088	1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe	28
PID 1600 wrote to memory of 3064	1600	f193n15598i0567.exe	29
PID 1600 wrote to memory of 3064	1600	f193n15598i0567.exe	29
PID 1600 wrote to memory of 3064	1600	f193n15598i0567.exe	29
PID 1600 wrote to memory of 3064	1600	f193n15598i0567.exe	29
PID 1600 wrote to memory of 3064	1600	f193n15598i0567.exe	29
PID 1600 wrote to memory of 3064	1600	f193n15598i0567.exe	29
PID 1600 wrote to memory of 3064	1600	f193n15598i0567.exe	29

C:\Users\Admin\AppData\Local\Temp\1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\f193n15598i0567.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\f193n15598i0567.exe" -e -pm1it982889f9266
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\13tu7hiem9f2421.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\13tu7hiem9f2421.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX1\13tu7hiem9f2421.exe

Filesize
1.9MB

MD5
173a6177bb4785ddc32232299f49f6de

SHA1
a2c834008094e2dfb0404127fb787b6e6f13329c

SHA256
a283ff54ea50d76f1f5881584d3129b6d80457880244d532d0f81ac05cccc3af

SHA512
d39ded0bc757b94f3635648ed61c882b81df4fc64f4b895b50cd1811329c4737ff7d439b7cfbec4a29d3d426ac40d7d8891f7005f29f9dc91b2c558e7bd1757c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\f193n15598i0567.exe

Filesize
2.0MB

MD5
567b2b37131635dea665bca13f4999d8

SHA1
1585ba49f012492c92f69ff46a752e8f4ce26322

SHA256
bd887a86e92b97eea034dc5818aa270ff66b8a7571afa47d78a9390ec8f9d7af

SHA512
95e60c1275de2fbc8cd4a869562e4cd38b9d22f7ebdb2fbc80a72726d167f836aeb35913e39565da1dc7d2451f954ef1b0c8dc0c2c0aba40ffab4e5411b67fae

Download Submit
memory/1600-18-0x0000000003940000-0x0000000003D45000-memory.dmp

Filesize
4.0MB

Download
memory/3064-19-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/3064-22-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download