0a6b0930b3b54f5cd5e640e259f27f3feb089785619e1b2ec9abeb1c2ce0834d

Analysis

max time kernel
130s
max time network
131s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 21:30

Target

3ac80ff075325879d39098766427d623_JaffaCakes118.exe
Size

48KB
MD5

3ac80ff075325879d39098766427d623
SHA1

52df3ecab8c407f1e7b90a7070224fefe6679e91
SHA256

0a6b0930b3b54f5cd5e640e259f27f3feb089785619e1b2ec9abeb1c2ce0834d
SHA512

f7ac8f9ce751d9df8ffa3a9e947d04ae15be71808cf902715f90267f80a3908c5ca0dcaff0a9254ed14775a2447800adffe22080d04827e57c997050012abc9e
SSDEEP

1536:nxQP4OUMAFlmsDZVn5Yxbz+YRYOzyuqout:xQP4OUMYlmsDrajtlq

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2104	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\webmedia.chl\CLSID	3ac80ff075325879d39098766427d623_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\webmedia.chl	3ac80ff075325879d39098766427d623_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\webmedia.chl\CLSID\ = "{F00E59F9-65EA-4BAC-AD14-FAFEE832151B}"	3ac80ff075325879d39098766427d623_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1680	3ac80ff075325879d39098766427d623_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2496	1680	3ac80ff075325879d39098766427d623_JaffaCakes118.exe	30
PID 1680 wrote to memory of 2496	1680	3ac80ff075325879d39098766427d623_JaffaCakes118.exe	30
PID 1680 wrote to memory of 2496	1680	3ac80ff075325879d39098766427d623_JaffaCakes118.exe	30
PID 1680 wrote to memory of 2496	1680	3ac80ff075325879d39098766427d623_JaffaCakes118.exe	30
PID 1680 wrote to memory of 2104	1680	3ac80ff075325879d39098766427d623_JaffaCakes118.exe	33
PID 1680 wrote to memory of 2104	1680	3ac80ff075325879d39098766427d623_JaffaCakes118.exe	33
PID 1680 wrote to memory of 2104	1680	3ac80ff075325879d39098766427d623_JaffaCakes118.exe	33
PID 1680 wrote to memory of 2104	1680	3ac80ff075325879d39098766427d623_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\3ac80ff075325879d39098766427d623_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ac80ff075325879d39098766427d623_JaffaCakes118.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:2496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\xzbA48A.cmd" "
  2⤵
  - Deletes itself
  PID:2104

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\xzbA48A.cmd

Filesize
304B

MD5
41586b9563545710b49f9a30c737108a

SHA1
c19c5ceb70a54cff7d956a94f03f1d020a53ee3e

SHA256
27cce3544e2a105c519d6c8affceea69bbdf93e24dcee6b81cf11f53ddb23275

SHA512
aade9b4034af0524e8dca9321f386c7ddf81d67f0f6e1379cef7ae0238aa890c8b6892507ded3d81c83f048397fbb48af116909bd880dae2fa13ec818b185e2d

Download Submit
memory/1680-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1680-1-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1680-5-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1680-9-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1680-22-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download