d0712875feba97ce0c191346ffbb54f01cd3f0b9892fbcee4d27f339efd779b4

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe
Size

51KB
MD5

2f43122e02f692ea0ab02f300c3126d5
SHA1

c5c21c6e0b596399e167114be43154e1079979f7
SHA256

d0712875feba97ce0c191346ffbb54f01cd3f0b9892fbcee4d27f339efd779b4
SHA512

cd472280dfd969c78dac7c3fabae01fcfb262ad2c0bdf1ddcab6ebb0db6cb6f155aabdf52f45631a1347691a5ab3c11c627124d88de9e4fad49bfa77242dd72e
SSDEEP

1536:BWP2/yLl3tPhc0Uon280/JSLjuGNEyj2Tbk:BeQm3tPh3Uo2GvusEyyTbk

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1596	2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 1864	1596	2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe	30
PID 1596 wrote to memory of 1864	1596	2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe	30
PID 1596 wrote to memory of 1864	1596	2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe	30
PID 1596 wrote to memory of 1864	1596	2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe	30
PID 1864 wrote to memory of 3060	1864	vbc.exe	32
PID 1864 wrote to memory of 3060	1864	vbc.exe	32
PID 1864 wrote to memory of 3060	1864	vbc.exe	32
PID 1864 wrote to memory of 3060	1864	vbc.exe	32

C:\Users\Admin\AppData\Local\Temp\2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f43122e02f692ea0ab02f300c3126d5_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jhgiqq36.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5DE.tmp"
    3⤵
    PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC5DF.tmp

Filesize
1KB

MD5
f14e1c96ad2d7d03904d75ba973e74f3

SHA1
eb5f230091ae9104ae5ea9b7840d7895444d9f9b

SHA256
77132ac1a2b91c11fbcd77a08f44351a31e2fa5a302f70db465866f501d97f0f

SHA512
885254a11a71079e648f2aee68fe56ec94c60b4e59659a31c8d3d4d029028ece2f69119be6a71accebfb800f65346059be33b0b0f68daa487f0a6b46c41b4b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhgiqq36.0.vb

Filesize
30KB

MD5
0a9bef7c75e587a058cb7019181f0234

SHA1
206f31a4cbed8c689475c7c042d8353d7394de1e

SHA256
01203b7adcf88f54de4a2fd4cd056369836e9dc0c14116162749cc82553a0f48

SHA512
24024b406c4816a5d1be0a570f5189ec0c129b78b22ba25e6c8c286816d29b6ec0fda5bd13a4f15ea0dafa594c4376be8d813be3d22c7c79c3b5acf71120128c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhgiqq36.cmdline

Filesize
276B

MD5
8a4eb75de7831b6874a9ffbdaa4c67a2

SHA1
d8f5c91d2a65f768994205cc929da2f51aa5aecf

SHA256
55b59150591ee4b5261fe43935f095adf6d3124c44d2466ec24137f75059bea7

SHA512
74a069b8a926728e3b66dbcef477c35f818bcf2d8e0e6cc75033ec63a2377816f8a6c6c01a16f2629251d94c81ca85a860490c5d75695528c9d4140284bd1c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhgiqq36.dll

Filesize
28KB

MD5
2541f62148fd38b1052bb1e73088af4c

SHA1
30fc303b8de69e28d4b2a4b0392bb6366cc6f8b4

SHA256
223e89af91ef35a56cf94e6ee6a293ab29030257f24db8c9a884a5d231a9b2cf

SHA512
1d527f389fe8e779295848d5c4e2aa50e976178cdff534052eb1df24fbc8544e0a2c2efbdbebace366178a1723901abd8a7f147975fbd7ea1414d57f53d35dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC5DE.tmp

Filesize
652B

MD5
e93229d638250cd9ddc1a1b15324907b

SHA1
f1791bf902bcdcc914a387135969f61c99078e45

SHA256
97f995932875721bee630b94e9b42d874d6088f040547ebc4a8efc1cb7ae5c2b

SHA512
cd7fdb4ffac433a9674be2467d904bf54ca0be31c8546e742db882f0d0eb63a22b918389535f45b9f8d50e4d50b0f0a68e0da29cde216d12f6944eeb2fa8ca4f

Download Submit
memory/1596-0-0x0000000074441000-0x0000000074442000-memory.dmp

Filesize
4KB

Download
memory/1596-1-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1596-2-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1596-19-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1864-7-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/1864-16-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download