34c13af7595d40d59dbd826c70d74de7a851dbe059db9313cc2dd84e0649f41c

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

387826e941f845b20554f14b91218175_JaffaCakes118.exe
Size

619KB
MD5

387826e941f845b20554f14b91218175
SHA1

d3accb61746b512fb56406569ed1b606cd204d27
SHA256

34c13af7595d40d59dbd826c70d74de7a851dbe059db9313cc2dd84e0649f41c
SHA512

8637af12e7a756d041ae47a1c7419a91552eaec837843c02f5b894458125eb0f370d5757df694520c1b81054af0aefa5640204d534deef3f53332d45e36d8756
SSDEEP

12288:9ufIQziUgIg4oCHT5B7PotSOx164gNIHNbZs8Lp97rWsVFqG5aDIB/nQ:uGUdg4bHVBbotSOjaIHhZJLp97rWsV1a

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2348	EXE8D42.tmp

Loads dropped DLL 2 IoCs

pid	Process
2700	387826e941f845b20554f14b91218175_JaffaCakes118.exe
2700	387826e941f845b20554f14b91218175_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2348	EXE8D42.tmp
2348	EXE8D42.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2348	2700	387826e941f845b20554f14b91218175_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2348	2700	387826e941f845b20554f14b91218175_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2348	2700	387826e941f845b20554f14b91218175_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2348	2700	387826e941f845b20554f14b91218175_JaffaCakes118.exe	30
PID 2348 wrote to memory of 2104	2348	EXE8D42.tmp	31
PID 2348 wrote to memory of 2104	2348	EXE8D42.tmp	31
PID 2348 wrote to memory of 2104	2348	EXE8D42.tmp	31
PID 2348 wrote to memory of 2104	2348	EXE8D42.tmp	31

C:\Users\Admin\AppData\Local\Temp\387826e941f845b20554f14b91218175_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\387826e941f845b20554f14b91218175_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\EXE8D42.tmp
  "C:\Users\Admin\AppData\Local\Temp\EXE8D42.tmp" "C:\Users\Admin\AppData\Local\Temp\OFM8D43.tmp" "C:\Users\Admin\AppData\Local\Temp\387826e941f845b20554f14b91218175_JaffaCakes118.exe" http://www.eomniform.com/OF5/nsplugins/OFMailX.cab http://www.eomniform.com/OF5/nsplugins/OFMailNP.jar http://www.eomniform.com/OF5/nsplugins/OFMailNP.xpi
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EXE8D42.tmp

Filesize
1.1MB

MD5
2d2fd71efa30293b805806d7e8999f8f

SHA1
3ca3d43dbb456a33874c6f7707b6d55e32c2d911

SHA256
edc16a9ae5e1fe484d301ed4680eefb85677e85712793fd69338c35f15febb99

SHA512
639e50317f4da0f793d9f7d4bff3ee1afb8e9f929727ad47816a104b052a81047253631b078b85f0b6e056bdd37e4b67e2e468a760ab05b9b1eb4bf1efa31a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\OFM8D43.tmp

Filesize
240KB

MD5
cc2c743580ae9de7fd286a68c9bc6466

SHA1
ed9a1e876267db8a61ee0133c8c90ac7f1327113

SHA256
50033242a808035ad629c3b1a19d70683ffc8c1ae47c972a13be62a3468e1a91

SHA512
f1b76fc8a5a9cb82a413d7a6a0fe3fae03a575ace1afa674c7304063f54f4a14ff4cd04daf15400e3f4e602abebe1bb4b247cd12b8cce986233253d3539da7b7

Download Submit