ece51f053b7c03a109a01fb9a9eca2b09940756136e56564ed9fb31ed6e5b2ca

Analysis

max time kernel
93s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 18:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35d6e48a41d45f10228131b93764d07f_JaffaCakes118.exe
Size

2.1MB
MD5

35d6e48a41d45f10228131b93764d07f
SHA1

d9e4cecc19bb4bf26d8cf6bacfadeb49bebd9a22
SHA256

ece51f053b7c03a109a01fb9a9eca2b09940756136e56564ed9fb31ed6e5b2ca
SHA512

146f5fce9c1ff724ee111de34afbcd7b81d90fad0bce88cb4267d4b9ef1d815c88188ee3e949bdd5475c7aeac1fc1f98441404a551a334ec6f15300b935e8cc0
SSDEEP

49152:x3uyvd1UctuCHtqzpKVt4eKKA/ZYbsTPYmHzImd5oy4/hv6:x+yvXBHiEVaK/qLzdoy5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1360	irsetup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Look@LAN Setup Log.txt	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1360	irsetup.exe
1360	irsetup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1360	irsetup.exe
1360	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 1360	228	35d6e48a41d45f10228131b93764d07f_JaffaCakes118.exe	84
PID 228 wrote to memory of 1360	228	35d6e48a41d45f10228131b93764d07f_JaffaCakes118.exe	84
PID 228 wrote to memory of 1360	228	35d6e48a41d45f10228131b93764d07f_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\35d6e48a41d45f10228131b93764d07f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35d6e48a41d45f10228131b93764d07f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\Temp\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\irsetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IRIMG1.BMP

Filesize
51KB

MD5
ff439d8a48231281a5b95d703c168fe7

SHA1
76094b5540f187bc730fb9ce8265c5d5fd74d4e9

SHA256
403b2c886bf9895534a5ebe14894d64f80ec1f10d01c04480ba68a4b10870067

SHA512
ea3c9ff9f2fb64e271b6b0dcd13db4e70d3e5b71b7d6302692bc46586edb33cb6aacb9c9548f00c17d1b063c430c4fd2807afcf39fbe50d358c89e19c6955d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG2.BMP

Filesize
7KB

MD5
a7a2b905faa4521074bd20091a921301

SHA1
45b36a9b8b806f8b16d13368fdeae97c3db31573

SHA256
9f825018b7d97a7a31457f7f063c682dbc887696d34cd71d9f6f9a1a80f9265f

SHA512
6e6f293f47f04bda18ec45581b36adc301da3ee06b846f4ffe0e1d476b21dd2e1d678b21acf100fda29787a1b8af54b0a104abf57633ca61737b278676df720f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG3.BMP

Filesize
7KB

MD5
95145f4cead2c4bd2ec219bc87d83f1d

SHA1
5eec034dfc7d9a6d93c21f38dfe2405c8968f6ed

SHA256
0542cb1d3e6b50f78dc63ea1abec6c518cfd4ea203649df3ef3834309ea66cad

SHA512
081d9cfa0bc46a54fcf03a62e5663282d27f56e20fbeafba2833d6267de285a354915c661dd67a3217f4dc2330c7f49babf8b24a5a68ba5a014f5e1e297cc5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG4.BMP

Filesize
7KB

MD5
ef0f83b8f590eef4cda9809b9d5873f6

SHA1
2217997c6c7251f7bf140498dccccfadf63dae89

SHA256
3cef434f2584fd81120e4c48b2442c0e649f340c29e42d4c8c68569091576036

SHA512
e590996a63af31cdc254a73f17071711d2f384bde374605f22ca2189731a29fdd5d992c43473c05a889cd0254c0b5df56c9c28e545e0458128cb1b1056ef2f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG5.BMP

Filesize
7KB

MD5
e29a24e189e95681bb41f73c16747fd8

SHA1
e9269bb9cb6f2b700fc78f92066f31b15a9c5c2a

SHA256
3973d354045be781eabf9114772fe2e5e96d1e557793de10c914d901b16e8c09

SHA512
4c6db25e04acb8349da29249f712b20c217d792e6d5fd40af9b398e2617d5168ef0afc2505a05b0833b90165d5e5eaf2e98d1821e855a99fc7833de52154ad94

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.dat

Filesize
33KB

MD5
b273fcc4665f1f33c64788ccd0901c10

SHA1
d96694407829d15fd18affb0c1579d341de786bc

SHA256
6e1a69b96d9171075863e475ac5bb4d348297e2ef0ebf0bb8982d37acdd819f3

SHA512
18d8897491b91d5bc9be2c58bdd8294263db67d1ced292202fad91bbc513cd702f55e0826cc51fca320675e332363e2eb948764e0c860c6a050ac0cd9784ceb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
704KB

MD5
65577ef62a45aa9a29639bec2649fb72

SHA1
80836c68ae49434adcbb300ba36c9530f09f81d2

SHA256
ff0b872a6b7dcdab47e13b3dc6cad51934d1923f0e70a84e595fb7dcf300dc7a

SHA512
2e04a1fecd1528b42809b4d0d2ac637a0fc8a7820879b61935ae462feed45e7356390481c5965663ef08e46c61a6a97a64b73b20fb8be489693b2d58c1aad4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.ini

Filesize
119B

MD5
ab23ad6b4baaba15ffafda58159cf485

SHA1
9df08a86460df4aae5abe5de92bc57024dda48d9

SHA256
c4e19a89447458156681964cf17be1f4d0aac05219d486eb05a3fc7a06819b93

SHA512
242dc7f6f67aba66c9c347cb621e3c04edd73e18cac383a663059cd300f12f56517966d20973ba8225863b158fe968cf2e5fe4e7161bd62c783342d98b8253c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\suf6lng.9

Filesize
15KB

MD5
65a07854a4ac46c7fcdfafce978a032d

SHA1
2766e37c4a49c4a2b65593061e59ce8e49363c25

SHA256
de4baa540b128b303c3bd6f33e1f7ee7b840143fbdaa3f931519a36d6e9063bc

SHA512
0e6ce00d1d34042fa4aa3e273b186de0bc600197dce37a9418f8653f8d6bb507d4c78d33804cbf7740e02920d4962de684060a5463df458f3764033a4da045c8

Download Submit
memory/228-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/228-14-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download