579966ee8692b4c4743aa35306253cc318c43088702395c695bc691c167cd00f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38b00c0c337a2839dd9f03181f3222a7_JaffaCakes118.exe
Size

4KB
MD5

38b00c0c337a2839dd9f03181f3222a7
SHA1

e7dac4679ff69e7269dea58b5c909e3a73d3fb47
SHA256

579966ee8692b4c4743aa35306253cc318c43088702395c695bc691c167cd00f
SHA512

4d2d062d8e800485110e9601d5d57ccde18aecb67869a3eff68fe1da4559c86aefd614603a7ebfe40e6f75a2c0092906cc25b96dafaa6d21d215ec2fc414bce9
SSDEEP

24:nbB4nHFXBmQ/Ux0xq3ckoBCPUtNQ/mCL1Fq0GV0GsZVPQ/m8Tm6DKuhV1l:nN4nOk00/3NQ/mF0GVkxQ/m5KKuhp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2456	HELLO.EXE
2076	hello world.exe

Loads dropped DLL 4 IoCs

pid	Process
1512	38b00c0c337a2839dd9f03181f3222a7_JaffaCakes118.exe
1512	38b00c0c337a2839dd9f03181f3222a7_JaffaCakes118.exe
1512	38b00c0c337a2839dd9f03181f3222a7_JaffaCakes118.exe
1512	38b00c0c337a2839dd9f03181f3222a7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2456	1512	38b00c0c337a2839dd9f03181f3222a7_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2456	1512	38b00c0c337a2839dd9f03181f3222a7_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2456	1512	38b00c0c337a2839dd9f03181f3222a7_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2456	1512	38b00c0c337a2839dd9f03181f3222a7_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2076	1512	38b00c0c337a2839dd9f03181f3222a7_JaffaCakes118.exe	31
PID 1512 wrote to memory of 2076	1512	38b00c0c337a2839dd9f03181f3222a7_JaffaCakes118.exe	31
PID 1512 wrote to memory of 2076	1512	38b00c0c337a2839dd9f03181f3222a7_JaffaCakes118.exe	31
PID 1512 wrote to memory of 2076	1512	38b00c0c337a2839dd9f03181f3222a7_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\38b00c0c337a2839dd9f03181f3222a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38b00c0c337a2839dd9f03181f3222a7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\HELLO.EXE
  "C:\Users\Admin\AppData\Local\Temp\HELLO.EXE"
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\hello world.exe
  "C:\Users\Admin\AppData\Local\Temp\hello world.exe"
  2⤵
  - Executes dropped EXE
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hello world.exe

Filesize
1KB

MD5
42674f041a9b0264d0a6c771191de3d0

SHA1
ed41b98e07545eac410da96512720d9f2d9c25ca

SHA256
002d353d8a185b7042cc722a0cd154840eebd1e589832179e91065ba16d9d755

SHA512
69546e68b8b0bef8bbae2d182fb7741b638bd2cd47636978b2e154d50a21dae17a38362f29875ab2221d2967c620078f0e976fa189082fcbcd7343919df1f41d

Download Submit
\Users\Admin\AppData\Local\Temp\HELLO.EXE

Filesize
1KB

MD5
cd517295184b3539309cfedff45d7373

SHA1
d4b3ac1f92e7dac32720de613570bfcead5996d6

SHA256
1fa07d026c79a7bd75bedcbc6c89789f0563729705a02ee04018530815a1b41f

SHA512
9174d101fc644fb7adfb8d89f12581246f579242fb27f00f3c9b1ff5618ab73a92331731a92c41d51eeee1ac9e31e8139bc75dbfb99f983bb7ceba28d831d149

Download Submit
memory/2076-18-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2456-19-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download