9e0eecfc5fefd5ecdc5cc205a1585fe30c5d9bac455c981d03b57c965e31fa9f

Analysis

max time kernel
147s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe
Size

45KB
MD5

30e881a3988e3f38f58698b2f9bb96c4
SHA1

380da287773281f36517ab501ae195fb0cb28587
SHA256

9e0eecfc5fefd5ecdc5cc205a1585fe30c5d9bac455c981d03b57c965e31fa9f
SHA512

d7b8631ea383de0f9be86ea17b13ba5c2331f7c7586c818ae42518a8124eeb39e20f7074d01eef7df289db787572efed6c5c4c638d45d51a26d6fe13dc7ecc77
SSDEEP

768:bclMNYiKC+qzfevpe4sQ72uKcopRaQP0xxXllllllllllllllllllllllllllll/:jR+MevpkCXx2vuyfC9dhheenh

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JMicron.lnk	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1928	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2524	1928	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2524	1928	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2524	1928	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2524	1928	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe	30
PID 1928 wrote to memory of 2812	1928	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe	32
PID 1928 wrote to memory of 2812	1928	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe	32
PID 1928 wrote to memory of 2812	1928	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe	32
PID 1928 wrote to memory of 2812	1928	30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe	32
PID 2524 wrote to memory of 2784	2524	cmd.exe	33
PID 2524 wrote to memory of 2784	2524	cmd.exe	33
PID 2524 wrote to memory of 2784	2524	cmd.exe	33
PID 2524 wrote to memory of 2784	2524	cmd.exe	33
PID 2784 wrote to memory of 2980	2784	net.exe	34
PID 2784 wrote to memory of 2980	2784	net.exe	34
PID 2784 wrote to memory of 2980	2784	net.exe	34
PID 2784 wrote to memory of 2980	2784	net.exe	34

C:\Users\Admin\AppData\Local\Temp\30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30e881a3988e3f38f58698b2f9bb96c4_JaffaCakes118.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c NET STOP wscsvc && NET STOP sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\net.exe
    NET STOP wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP wscsvc
      4⤵
      PID:2980
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yqaho.vbs"
  2⤵
  - Drops startup file
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qepoi.bat

Filesize
1KB

MD5
62fe1bde82e07df9c86f7b8b36786ac7

SHA1
c707b7957c3016e3327968dbe0933e00b9275380

SHA256
59deeb2704d267712eb36a3056efdcd376f9f2fbbc5dd7b722c1dbed41ac63a3

SHA512
64c209ab5a922132d50c5c3069009d046c1a38b44349a28307a3cc3c1954ed981624bf8a1c9767ec1e4632919939afce153c41b588222ae280332a54cc64ef11

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhq4i

Filesize
34KB

MD5
ee42f37edc1baf81dabaf9a8c33c4b80

SHA1
06737e3966892c6472e2a0e97ae7f2c284397326

SHA256
65d2bbd26f221b0035118dd2bebfbab7ec1430f5bed0cdfd40d663193f1d45df

SHA512
cbf551a14ddf02ee6139f06135e170a08149e0b51f1a2e07bf8fd30afd74a42f6db1e9e5bfd24c35a45391bd4d232e3a684da825bcb8025c609ff213d225ef39

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqaho.vbs

Filesize
1KB

MD5
185de81473eed7a14ba176160679042e

SHA1
db8127cec49b9adcf4a594d182ade05f8af88152

SHA256
2926ea884d44d115048bffac5c22f9eb3dc3e99108e183f25f1abdbfe8c8b28f

SHA512
47bc23d50b928044c243acdd7e9bfe62629f196fef916ba30d1c1d565518957d6cc1e125d8bcc589fccd239b23507e03fd03728934d671c8d1f9552aa8a1b3af

Download Submit
memory/1928-2-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1928-1-0x0000000000250000-0x000000000025F000-memory.dmp

Filesize
60KB

Download
memory/1928-0-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/1928-197-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download