b95d3f837860a9458844193b1eb148f16865728200f62c2671ebf37644f57dff

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

353e474f7b4016813bbb462798fec64f_JaffaCakes118.exe
Size

865KB
MD5

353e474f7b4016813bbb462798fec64f
SHA1

0464cc64c8e19e42765deeeae6e3f1a46c1ed9b9
SHA256

b95d3f837860a9458844193b1eb148f16865728200f62c2671ebf37644f57dff
SHA512

01395ed6cd1b6cfe3a81680bcbba907c99973f63bfe15c6010dc2f78a425fc9b28587d5268220595d39b5029c0d172931ed5b2f786a85d6509b563d48a2a24de
SSDEEP

24576:K/7//0x2mmB+i06g8oUsuE/pm3dw1ClFrg2Dt59e4Omb5/:gzBb06g8oj1/pmDH/59//

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	3996	rUNdlL32.eXe	86

Loads dropped DLL 1 IoCs

pid	Process
3404	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 3404	2468	rUNdlL32.eXe	88
PID 2468 wrote to memory of 3404	2468	rUNdlL32.eXe	88
PID 2468 wrote to memory of 3404	2468	rUNdlL32.eXe	88

C:\Users\Admin\AppData\Local\Temp\353e474f7b4016813bbb462798fec64f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\353e474f7b4016813bbb462798fec64f_JaffaCakes118.exe"
1⤵
PID:2624

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sqlite.dat

Filesize
558KB

MD5
d2ea63e70f5d51810958b2893048ebae

SHA1
5c3d28bf01f169685b09014544cf67cc3a610e2e

SHA256
c5f36825e9c601d5550b02717dbeeeadf1b947806c613d4ff15ed43fbdf2023d

SHA512
749062d7ed13d600a28f0a07a5b0682252e45c7a0b693ee88815941c099f97e651b275b9cc47ed905875a2a3dd09a26da8d89963514e836aebfdfe8e060d53c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll

Filesize
80KB

MD5
993b4986d4dec8eaebaceb3cf9df0cb4

SHA1
07ad151d9bace773e59f41a504fe7447654c1f34

SHA256
4412b9732c50551bf9278ee0ee4fe8e0e33b713f6eea5e6873950d807e9353ec

SHA512
ee70123e2a4bad0ba6fe181ae9829f77257a4d162e2a01a478a5e37a70688370f3f2d2c833d253b093a99642e90512a3be684f004da23981c66cb9faccfa143e

Download Submit