912a20f8b2d668d95091c53bc79b0604d29c273cc10ad8971ede9d44ff1284e4

Analysis

max time kernel
32s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c56fc344f862a3211f7c180d0da2c16_JaffaCakes118.exe
Size

1.1MB
MD5

3c56fc344f862a3211f7c180d0da2c16
SHA1

47cc028a9e72bfbfb62b3ae8df11288cecc8721f
SHA256

912a20f8b2d668d95091c53bc79b0604d29c273cc10ad8971ede9d44ff1284e4
SHA512

1485d6d15658f702a73638fa37d64887db0a51f8fac7f5068a57d6c57810e44b3ab8519cf91ee8e9c56f46d2aeb9f520f1f80340b6c2c510060d130848b7ae5e
SSDEEP

24576:m9mRTALRJsgZNfe+e43KX1ShZ0lX0COFddP8DHxJzm9qRxHBsaKR0GQt1K:m9M0LR2Cte+Z0lXLMx8FJzm9qRx8R0GX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4284	Setup.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Setup.exe
File opened (read-only)	\??\K:	Setup.exe
File opened (read-only)	\??\O:	Setup.exe
File opened (read-only)	\??\W:	Setup.exe
File opened (read-only)	\??\Y:	Setup.exe
File opened (read-only)	\??\P:	Setup.exe
File opened (read-only)	\??\Q:	Setup.exe
File opened (read-only)	\??\S:	Setup.exe
File opened (read-only)	\??\T:	Setup.exe
File opened (read-only)	\??\V:	Setup.exe
File opened (read-only)	\??\Z:	Setup.exe
File opened (read-only)	\??\H:	Setup.exe
File opened (read-only)	\??\I:	Setup.exe
File opened (read-only)	\??\L:	Setup.exe
File opened (read-only)	\??\X:	Setup.exe
File opened (read-only)	\??\U:	Setup.exe
File opened (read-only)	\??\E:	Setup.exe
File opened (read-only)	\??\F:	Setup.exe
File opened (read-only)	\??\G:	Setup.exe
File opened (read-only)	\??\M:	Setup.exe
File opened (read-only)	\??\N:	Setup.exe
File opened (read-only)	\??\R:	Setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4284	Setup.exe
4284	Setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 4284	4776	3c56fc344f862a3211f7c180d0da2c16_JaffaCakes118.exe	84
PID 4776 wrote to memory of 4284	4776	3c56fc344f862a3211f7c180d0da2c16_JaffaCakes118.exe	84
PID 4776 wrote to memory of 4284	4776	3c56fc344f862a3211f7c180d0da2c16_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\3c56fc344f862a3211f7c180d0da2c16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c56fc344f862a3211f7c180d0da2c16_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Local\Temp\7zSF6E3.tmp\Setup.exe
  .\Setup.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSF6E3.tmp\Setup.exe

Filesize
481KB

MD5
81a5be78492e74d8ebbfce5ff45ee903

SHA1
496b334c1a9d233cccafec536c6ff1f0cad3951d

SHA256
aaf5c87ec0f8a470bb725c0a779672ab8321e4a7c11f50c9c2d2e493ab87323e

SHA512
d77c75972cf3862fa03a9598df582942328d61537b9e1392021c12b00df05f5cd7425c2ec76cffbd426284a209f8b6f54baf008c2b86beba4c1241c92626c25e

Download Submit