461483fafdb9c48dee3b902d6f36b239fce68026abe11a01eca6314e9584e334

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe
Size

127KB
MD5

2b68837db9de8dc4868b847fe774be21
SHA1

5b267c68d86cb57646a9c765add756cb65ca643d
SHA256

461483fafdb9c48dee3b902d6f36b239fce68026abe11a01eca6314e9584e334
SHA512

733899d7f0278b9611daa3b41f2b4ebaffcb7d7a185e5b28ff4c7e9ae345a36957feb57323a8b3927166dec997febc46c97adb19f7496b9296312ab0645549b2
SSDEEP

3072:tWIVzl1GSJLLpgmGj8g5ZQXMmwI+QXMmwI2m:gIVzl3LumGGMazMa2m

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2676	Del9C8D.tmp

Executes dropped EXE 1 IoCs

pid	Process
2676	Del9C8D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1948	3044	2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe	30
PID 3044 wrote to memory of 1948	3044	2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe	30
PID 3044 wrote to memory of 1948	3044	2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe	30
PID 3044 wrote to memory of 1948	3044	2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe	30
PID 1948 wrote to memory of 2748	1948	cmd.exe	32
PID 1948 wrote to memory of 2748	1948	cmd.exe	32
PID 1948 wrote to memory of 2748	1948	cmd.exe	32
PID 1948 wrote to memory of 2748	1948	cmd.exe	32
PID 3044 wrote to memory of 2676	3044	2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe	33
PID 3044 wrote to memory of 2676	3044	2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe	33
PID 3044 wrote to memory of 2676	3044	2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe	33
PID 3044 wrote to memory of 2676	3044	2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe	33
PID 2676 wrote to memory of 2980	2676	Del9C8D.tmp	34
PID 2676 wrote to memory of 2980	2676	Del9C8D.tmp	34
PID 2676 wrote to memory of 2980	2676	Del9C8D.tmp	34
PID 2676 wrote to memory of 2980	2676	Del9C8D.tmp	34
PID 2980 wrote to memory of 2864	2980	cmd.exe	36
PID 2980 wrote to memory of 2864	2980	cmd.exe	36
PID 2980 wrote to memory of 2864	2980	cmd.exe	36
PID 2980 wrote to memory of 2864	2980	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c a.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
    3⤵
    PID:2748
- C:\Users\Admin\AppData\Local\Temp\Del9C8D.tmp
  C:\Users\Admin\AppData\Local\Temp\Del9C8D.tmp 84 "C:\Users\Admin\AppData\Local\Temp\2b68837db9de8dc4868b847fe774be21_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c a.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
      4⤵
      PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Del9C8D.tmp

Filesize
127KB

MD5
2b68837db9de8dc4868b847fe774be21

SHA1
5b267c68d86cb57646a9c765add756cb65ca643d

SHA256
461483fafdb9c48dee3b902d6f36b239fce68026abe11a01eca6314e9584e334

SHA512
733899d7f0278b9611daa3b41f2b4ebaffcb7d7a185e5b28ff4c7e9ae345a36957feb57323a8b3927166dec997febc46c97adb19f7496b9296312ab0645549b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.vbs

Filesize
22KB

MD5
0a4899d7995aeb9b8263f62dcae31c0c

SHA1
d4f5dc941ffa15b07e73097d6dccd87ddfef2e22

SHA256
ce532ed99a85758250b49e3b422654068ac384b8c4951b8f2df97402e191a617

SHA512
ac3a445d8970b691fc9756a89ee590e6449dcd53334bf47c4fc4eb4f0445e767d0271e4cad43a4a286eb320709b63f381d4cd2c938ed5de8786fc0379478b4c5

Download Submit