162b2832dcd20580d9367b89a8d0a3b3ef9b1a0e082fc647585f28242393f7e8

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 03:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2ad18b636e6f3bcab9ea43821acc432a_JaffaCakes118.exe
Size

401KB
MD5

2ad18b636e6f3bcab9ea43821acc432a
SHA1

e1f1e172435d736e8b0193710b36bfaa891d7980
SHA256

162b2832dcd20580d9367b89a8d0a3b3ef9b1a0e082fc647585f28242393f7e8
SHA512

250fc847de47df0ac083626b0d0822f4a700398f8187d8b6cfc46cad4922e37c285d4be152a1b0259eae1ecb7065bf5640cdf3b7d43cd05ec9d4ff3990a3d2be
SSDEEP

12288:gutrzh9xOXkOXmPNFUns62osFhLlpym2je76w:gutr5OUOXmPYZ2oiFlpymEO6w

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3052	Plug de Seguranca.exe

Loads dropped DLL 2 IoCs

pid	Process
3040	2ad18b636e6f3bcab9ea43821acc432a_JaffaCakes118.exe
3040	2ad18b636e6f3bcab9ea43821acc432a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 3052	3040	2ad18b636e6f3bcab9ea43821acc432a_JaffaCakes118.exe	28
PID 3040 wrote to memory of 3052	3040	2ad18b636e6f3bcab9ea43821acc432a_JaffaCakes118.exe	28
PID 3040 wrote to memory of 3052	3040	2ad18b636e6f3bcab9ea43821acc432a_JaffaCakes118.exe	28
PID 3040 wrote to memory of 3052	3040	2ad18b636e6f3bcab9ea43821acc432a_JaffaCakes118.exe	28
PID 3040 wrote to memory of 3052	3040	2ad18b636e6f3bcab9ea43821acc432a_JaffaCakes118.exe	28
PID 3040 wrote to memory of 3052	3040	2ad18b636e6f3bcab9ea43821acc432a_JaffaCakes118.exe	28
PID 3040 wrote to memory of 3052	3040	2ad18b636e6f3bcab9ea43821acc432a_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\2ad18b636e6f3bcab9ea43821acc432a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ad18b636e6f3bcab9ea43821acc432a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\Plug de Seguranca.exe
  "C:\Users\Admin\AppData\Local\Temp\Plug de Seguranca.exe"
  2⤵
  - Executes dropped EXE
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Plug de Seguranca.exe

Filesize
1.8MB

MD5
76c51c4280c22bad1c37602f3115d399

SHA1
3b142251e1b043f9b515128b6103fcc5b544b851

SHA256
a1d5bd61eedea7422fc3b887e6b103656a23632cc39a7a279edf7b27333fa257

SHA512
d0c8e045b8cdfe78c84da5c79773101162a75dc9ff662cca2a0bf7c0a1c3c6508c77d56f562c5d220aae23848801f2f1954851bec51d3afc83688fb6c584e559

Download Submit
memory/3052-10-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/3052-11-0x0000000000010000-0x00000000001E6000-memory.dmp

Filesize
1.8MB

Download
memory/3052-13-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download