0b8df9acd2c4a4b71bc2b36658ca4ba64796558638617c60dde99a7d90e8d44e

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

261ed78771712636bdea029967952eba_JaffaCakes118.exe
Size

645KB
MD5

261ed78771712636bdea029967952eba
SHA1

6ba2075886daf5a105efb531958e595834d6c8ef
SHA256

0b8df9acd2c4a4b71bc2b36658ca4ba64796558638617c60dde99a7d90e8d44e
SHA512

47e752d959cd16cf2cfd94a6c6a6be9cdf509deb7c5431d221f7c22a04799fdc877c1db246e87465810f86f146d0e83078e5b7dca6752b5f87cbd3d72236b8bc
SSDEEP

12288:vGNbiT94+gia2afU4t8LzbDWJNPhJJ+SJawtuRK0OiihazZhqjEBbqoIJPj:ebajgUavmLz2jvJLmEN6ZOFx

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2428 set thread context of 2476	2428	261ed78771712636bdea029967952eba_JaffaCakes118.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1632	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1632	vlc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1632	vlc.exe
Token: SeIncBasePriorityPrivilege	1632	vlc.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1632	vlc.exe
1632	vlc.exe
1632	vlc.exe
1632	vlc.exe
1632	vlc.exe
1632	vlc.exe
1632	vlc.exe
1632	vlc.exe
1632	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1632	vlc.exe
1632	vlc.exe
1632	vlc.exe
1632	vlc.exe
1632	vlc.exe
1632	vlc.exe
1632	vlc.exe
1632	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1632	vlc.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2476	2428	261ed78771712636bdea029967952eba_JaffaCakes118.exe	28
PID 2428 wrote to memory of 2476	2428	261ed78771712636bdea029967952eba_JaffaCakes118.exe	28
PID 2428 wrote to memory of 2476	2428	261ed78771712636bdea029967952eba_JaffaCakes118.exe	28
PID 2428 wrote to memory of 2476	2428	261ed78771712636bdea029967952eba_JaffaCakes118.exe	28
PID 2428 wrote to memory of 2476	2428	261ed78771712636bdea029967952eba_JaffaCakes118.exe	28
PID 2428 wrote to memory of 2476	2428	261ed78771712636bdea029967952eba_JaffaCakes118.exe	28
PID 2476 wrote to memory of 1632	2476	261ed78771712636bdea029967952eba_JaffaCakes118.exe	29
PID 2476 wrote to memory of 1632	2476	261ed78771712636bdea029967952eba_JaffaCakes118.exe	29
PID 2476 wrote to memory of 1632	2476	261ed78771712636bdea029967952eba_JaffaCakes118.exe	29
PID 2476 wrote to memory of 1632	2476	261ed78771712636bdea029967952eba_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\261ed78771712636bdea029967952eba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\261ed78771712636bdea029967952eba_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\261ed78771712636bdea029967952eba_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\261ed78771712636bdea029967952eba_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\'s Symphony No. 9 (Scherzo).wma"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\'s Symphony No. 9 (Scherzo).wma

Filesize
599KB

MD5
f2271fe569c058dc724d9b9e53811e31

SHA1
ea276fc14127875413ac387f017bd2291a987f4b

SHA256
bf0074851e2435a255b512e502b831ed2c456774971f8fc57004d597769364a6

SHA512
c324428534f64879aa17b190206e538066308486d95e9fa1b8b7238bc79067042717c232034ef8926376b72d3123be169852b05bfe58c7f69887245d91e5b53d

Download Submit
memory/1632-33-0x000007FEF60B0000-0x000007FEF60C8000-memory.dmp

Filesize
96KB

Download
memory/1632-45-0x000007FEF4C80000-0x000007FEF4C96000-memory.dmp

Filesize
88KB

Download
memory/1632-40-0x000007FEF4D10000-0x000007FEF4E90000-memory.dmp

Filesize
1.5MB

Download
memory/1632-15-0x000007FEF7D10000-0x000007FEF7D44000-memory.dmp

Filesize
208KB

Download
memory/1632-14-0x000000013F860000-0x000000013F958000-memory.dmp

Filesize
992KB

Download
memory/1632-17-0x000007FEFAC40000-0x000007FEFAC58000-memory.dmp

Filesize
96KB

Download
memory/1632-24-0x000007FEF6130000-0x000007FEF633B000-memory.dmp

Filesize
2.0MB

Download
memory/1632-21-0x000007FEF6F00000-0x000007FEF6F11000-memory.dmp

Filesize
68KB

Download
memory/1632-22-0x000007FEF6EE0000-0x000007FEF6EFD000-memory.dmp

Filesize
116KB

Download
memory/1632-23-0x000007FEF6A60000-0x000007FEF6A71000-memory.dmp

Filesize
68KB

Download
memory/1632-20-0x000007FEF7A70000-0x000007FEF7A87000-memory.dmp

Filesize
92KB

Download
memory/1632-18-0x000007FEF7B20000-0x000007FEF7B37000-memory.dmp

Filesize
92KB

Download
memory/1632-16-0x000007FEF6340000-0x000007FEF65F6000-memory.dmp

Filesize
2.7MB

Download
memory/1632-25-0x000007FEF6A10000-0x000007FEF6A51000-memory.dmp

Filesize
260KB

Download
memory/1632-26-0x000007FEF69E0000-0x000007FEF6A01000-memory.dmp

Filesize
132KB

Download
memory/1632-28-0x000007FEF69A0000-0x000007FEF69B1000-memory.dmp

Filesize
68KB

Download
memory/1632-31-0x000007FEF60F0000-0x000007FEF610B000-memory.dmp

Filesize
108KB

Download
memory/1632-32-0x000007FEF60D0000-0x000007FEF60E1000-memory.dmp

Filesize
68KB

Download
memory/1632-19-0x000007FEF7A90000-0x000007FEF7AA1000-memory.dmp

Filesize
68KB

Download
memory/1632-41-0x000007FEF4CF0000-0x000007FEF4D07000-memory.dmp

Filesize
92KB

Download
memory/1632-34-0x000007FEF6080000-0x000007FEF60B0000-memory.dmp

Filesize
192KB

Download
memory/1632-30-0x000007FEF6110000-0x000007FEF6121000-memory.dmp

Filesize
68KB

Download
memory/1632-29-0x000007FEF6980000-0x000007FEF6991000-memory.dmp

Filesize
68KB

Download
memory/1632-27-0x000007FEF69C0000-0x000007FEF69D8000-memory.dmp

Filesize
96KB

Download
memory/1632-36-0x000007FEF4F60000-0x000007FEF4FC7000-memory.dmp

Filesize
412KB

Download
memory/1632-38-0x000007FEF4EC0000-0x000007FEF4ED1000-memory.dmp

Filesize
68KB

Download
memory/1632-39-0x000007FEF4E90000-0x000007FEF4EB4000-memory.dmp

Filesize
144KB

Download
memory/1632-37-0x000007FEF4EE0000-0x000007FEF4F5C000-memory.dmp

Filesize
496KB

Download
memory/1632-49-0x000007FEF3030000-0x000007FEF3042000-memory.dmp

Filesize
72KB

Download
memory/1632-48-0x000007FEF3050000-0x000007FEF3061000-memory.dmp

Filesize
68KB

Download
memory/1632-47-0x000007FEF3090000-0x000007FEF30A5000-memory.dmp

Filesize
84KB

Download
memory/1632-35-0x000007FEF4FD0000-0x000007FEF6080000-memory.dmp

Filesize
16.7MB

Download
memory/1632-50-0x000007FEF2EB0000-0x000007FEF302A000-memory.dmp

Filesize
1.5MB

Download
memory/1632-46-0x000007FEF4BB0000-0x000007FEF4C75000-memory.dmp

Filesize
788KB

Download
memory/1632-42-0x000007FEFB9E0000-0x000007FEFB9F0000-memory.dmp

Filesize
64KB

Download
memory/1632-44-0x000007FEF4CA0000-0x000007FEF4CB1000-memory.dmp

Filesize
68KB

Download
memory/1632-43-0x000007FEF4CC0000-0x000007FEF4CEF000-memory.dmp

Filesize
188KB

Download
memory/2476-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2476-3-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2476-13-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download