49627275dfe654ebd48e38811449889a1607ef9a39b3ec058e91ce1d870eb38f

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 22:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2e1b93a37c12954e94efc04f70f2b55c_JaffaCakes118.exe
Size

13KB
MD5

2e1b93a37c12954e94efc04f70f2b55c
SHA1

999b6ca9e71d6a58dc2337e5fea1a6880193a2e1
SHA256

49627275dfe654ebd48e38811449889a1607ef9a39b3ec058e91ce1d870eb38f
SHA512

f4a53c29334f7c764d0089c49702b73eba8ef1d71ac9c1add3a7e7054e7280e3ada6e09fbc47054d286a00ca0501f1be809bb95a95be53f22b969447f963a44b
SSDEEP

384:jxNR77zN0w638TNFTBs16QCzOcg9FgXiou:jxN17zn66W2zONFgXiou

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2828	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1968	2548	2e1b93a37c12954e94efc04f70f2b55c_JaffaCakes118.exe	29
PID 2548 wrote to memory of 1968	2548	2e1b93a37c12954e94efc04f70f2b55c_JaffaCakes118.exe	29
PID 2548 wrote to memory of 1968	2548	2e1b93a37c12954e94efc04f70f2b55c_JaffaCakes118.exe	29
PID 2548 wrote to memory of 1968	2548	2e1b93a37c12954e94efc04f70f2b55c_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2828	2548	2e1b93a37c12954e94efc04f70f2b55c_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2828	2548	2e1b93a37c12954e94efc04f70f2b55c_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2828	2548	2e1b93a37c12954e94efc04f70f2b55c_JaffaCakes118.exe	31
PID 2548 wrote to memory of 2828	2548	2e1b93a37c12954e94efc04f70f2b55c_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\2e1b93a37c12954e94efc04f70f2b55c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e1b93a37c12954e94efc04f70f2b55c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat""
  2⤵
  PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
  2⤵
  - Deletes itself
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

Filesize
351B

MD5
36d5421223f9d2698ba32da321f0fc39

SHA1
28327a6cba0deab084b98fc25a1826b5605c08bb

SHA256
62acb90ec182c1215ea1589cb7cd55084310032310889a8f9a507e3c31eff540

SHA512
c2b8e7abedd7a2b2a55807a391b8213314a6000f23cb927fc591f71f778f118da18d6982e5e24ba5b4c0f226a496a8e96bc26d59923ba1d6083db8f1ed4f0eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

Filesize
146B

MD5
33d6fe24ac083f17ca58115f296938da

SHA1
2bd97e42dc149b29ba6543f31f49712e9bedbdc8

SHA256
9661e460396f6eb9232a2395e96b29615ce73b4da265b93fe0aa54d5d572eb4e

SHA512
b68a87b2a70d4b3995c2012cff4b6bad779a900dd19828dcbbb50fe6bd26c9547b4d9b4b51a9a94b18c55913c0c4256a4b6261bd709934d24f557df1a48583fb

Download Submit
memory/1968-19-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2548-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2548-32-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download