b65a614066394895d68bdfa9aa6a3ccc48fae8ece8532821237205e7c6041821

Analysis

max time kernel
22s
max time network
27s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39d7fd9fd033003febb492eec482ceb2_JaffaCakes118.exe
Size

16KB
MD5

39d7fd9fd033003febb492eec482ceb2
SHA1

35e8c96009665ed97ddb1dafeead5575e13e9b62
SHA256

b65a614066394895d68bdfa9aa6a3ccc48fae8ece8532821237205e7c6041821
SHA512

a4461d7f45e9cd1fc23fbeaee587059272746494e313e29a8e12fa2ba38cc511ed84c10223ce5bda10961d87ef75e281a3ced0639e6899a153067e45c57ff7c9
SSDEEP

192:ruRqpkF0vi/jnULeCN0P3T1QvyStx+fDQK6f6lqBWHjY2L:ruRqyF0vWjnULeCyQ2DQX2qBWU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2792	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2704	calcnew.exe
2764	calcnew.exe
2100	calcnew.exe

Loads dropped DLL 2 IoCs

pid	Process
2704	calcnew.exe
2704	calcnew.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\calcnew.exe	39d7fd9fd033003febb492eec482ceb2_JaffaCakes118.exe
File created	C:\Windows\calcnew.exe	calcnew.exe
File created	C:\Windows\calcnew.exe	calcnew.exe
File created	C:\Windows\calcnew.exe	calcnew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2100	calcnew.exe
Token: SeIncBasePriorityPrivilege	1360	39d7fd9fd033003febb492eec482ceb2_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2704	calcnew.exe
Token: SeIncBasePriorityPrivilege	2764	calcnew.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 2704	1360	39d7fd9fd033003febb492eec482ceb2_JaffaCakes118.exe	29
PID 1360 wrote to memory of 2704	1360	39d7fd9fd033003febb492eec482ceb2_JaffaCakes118.exe	29
PID 1360 wrote to memory of 2704	1360	39d7fd9fd033003febb492eec482ceb2_JaffaCakes118.exe	29
PID 1360 wrote to memory of 2704	1360	39d7fd9fd033003febb492eec482ceb2_JaffaCakes118.exe	29
PID 2704 wrote to memory of 2764	2704	calcnew.exe	30
PID 2704 wrote to memory of 2764	2704	calcnew.exe	30
PID 2704 wrote to memory of 2764	2704	calcnew.exe	30
PID 2704 wrote to memory of 2764	2704	calcnew.exe	30
PID 2764 wrote to memory of 2100	2764	calcnew.exe	31
PID 2764 wrote to memory of 2100	2764	calcnew.exe	31
PID 2764 wrote to memory of 2100	2764	calcnew.exe	31
PID 2764 wrote to memory of 2100	2764	calcnew.exe	31
PID 2100 wrote to memory of 2740	2100	calcnew.exe	32
PID 2100 wrote to memory of 2740	2100	calcnew.exe	32
PID 2100 wrote to memory of 2740	2100	calcnew.exe	32
PID 2100 wrote to memory of 2740	2100	calcnew.exe	32
PID 1360 wrote to memory of 2792	1360	39d7fd9fd033003febb492eec482ceb2_JaffaCakes118.exe	34
PID 1360 wrote to memory of 2792	1360	39d7fd9fd033003febb492eec482ceb2_JaffaCakes118.exe	34
PID 1360 wrote to memory of 2792	1360	39d7fd9fd033003febb492eec482ceb2_JaffaCakes118.exe	34
PID 1360 wrote to memory of 2792	1360	39d7fd9fd033003febb492eec482ceb2_JaffaCakes118.exe	34
PID 2704 wrote to memory of 2736	2704	calcnew.exe	36
PID 2704 wrote to memory of 2736	2704	calcnew.exe	36
PID 2704 wrote to memory of 2736	2704	calcnew.exe	36
PID 2704 wrote to memory of 2736	2704	calcnew.exe	36
PID 2764 wrote to memory of 2684	2764	calcnew.exe	38
PID 2764 wrote to memory of 2684	2764	calcnew.exe	38
PID 2764 wrote to memory of 2684	2764	calcnew.exe	38
PID 2764 wrote to memory of 2684	2764	calcnew.exe	38

C:\Users\Admin\AppData\Local\Temp\39d7fd9fd033003febb492eec482ceb2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39d7fd9fd033003febb492eec482ceb2_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\calcnew.exe
  "C:\Windows\calcnew.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\calcnew.exe
    "C:\Users\Admin\AppData\Local\Temp\calcnew.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\calcnew.exe
      "C:\calcnew.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\calcnew.exe > nul
        5⤵
        
        PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\calcnew.exe > nul
      4⤵
      PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\calcnew.exe > nul
    3⤵
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\39D7FD~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\calcnew.exe

Filesize
16KB

MD5
39d7fd9fd033003febb492eec482ceb2

SHA1
35e8c96009665ed97ddb1dafeead5575e13e9b62

SHA256
b65a614066394895d68bdfa9aa6a3ccc48fae8ece8532821237205e7c6041821

SHA512
a4461d7f45e9cd1fc23fbeaee587059272746494e313e29a8e12fa2ba38cc511ed84c10223ce5bda10961d87ef75e281a3ced0639e6899a153067e45c57ff7c9

Download Submit