e56da3f5db3bafec7d4b26ee19bcfcc8b1f5e01155b35ced32373fea7bf0e3fd

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe
Size

743KB
MD5

26f97eb79f7217579fcef497133a5178
SHA1

8544305857d33d6b88502dc0a527a21dc4175f25
SHA256

e56da3f5db3bafec7d4b26ee19bcfcc8b1f5e01155b35ced32373fea7bf0e3fd
SHA512

fe7d45088c03e6b38dd32b2052cca24d5165f765f1089094203588612af254431246be483ed2b71cb3326882b036343a5dfc880c51f578c60ecfaef97fe5be1f
SSDEEP

12288:T/5pooFT7xMgKvLvruqQ5+uWXdyFlQh9FRvJQSVc0xK7gTENepZP:Txm+xMRvLvXduVI/T0gTvp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2556	tmp.exe
2616	R_Server.exe

Loads dropped DLL 4 IoCs

pid	Process
1660	26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe
1660	26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe
1660	26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe
1660	26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe	26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe	26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe	26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe	26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe
2556	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	R_Server.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2556	1660	26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2556	1660	26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2556	1660	26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2556	1660	26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe	31
PID 1660 wrote to memory of 2616	1660	26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe	32
PID 1660 wrote to memory of 2616	1660	26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe	32
PID 1660 wrote to memory of 2616	1660	26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe	32
PID 1660 wrote to memory of 2616	1660	26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26f97eb79f7217579fcef497133a5178_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2556
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe" -NetStat
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\R_Server.exe

Filesize
30.7MB

MD5
f5bf22328235e4750c4bde9b3640c47c

SHA1
6e422a1cfd392b56d85e163a9be8467d75927f62

SHA256
862b11c9c7d75929c755ac2904c325f25ac315c1da0855384110493f2e2e5ccf

SHA512
31bc05640a3c32e94888fdc862041b5d7bb59a07f5e78cd4f0fb9f3da27e4a7ee1e70802ef71ff031d63242467e7f55483b97235f0225651c64838fec3da6241

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\tmp.exe

Filesize
30.0MB

MD5
61910644e9560ebea70adc93af6c7f9e

SHA1
e110bafedefb8db4b092349c5412367fe3669422

SHA256
0145df902adcc046e1a99fb05e52b12d46d69dace736159a7295afa600754853

SHA512
fb42e43a7eac0ddb2704dc4f1956091eb74b3295c2f272d6426399f9d8401fdb6df4ce0a4afa16f0b4780b1b898fa702f0187ffda902b67a3e0da1cb1d32f488

Download Submit
memory/1660-52-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1660-21-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1660-0-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1660-51-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1660-27-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2556-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2556-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2556-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2556-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2556-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2556-54-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2616-49-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2616-53-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2616-55-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2616-56-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2616-57-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2616-59-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download