ad09cad94d3f34e6babb5eb746be8fa357358692f5e617bacc6238d6923d7af5

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 11:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3d39fec35a5f452c0db148cbd14b4714_JaffaCakes118.exe
Size

138KB
MD5

3d39fec35a5f452c0db148cbd14b4714
SHA1

0ec583ec149f2e3c63817d0bf7427517ced39cd4
SHA256

ad09cad94d3f34e6babb5eb746be8fa357358692f5e617bacc6238d6923d7af5
SHA512

e5d173fcb203ca11a9e801385e675408ed70b01aa6c62b3ef3b317fbb3e0fca87fcb71ed6aeee53a9c920bfd16246817f696d96451dac26a1be5dcf22dfede6a
SSDEEP

3072:pNbFdNhJ3m/n9XBa5pLi9uB36JIOxhIYcD82E+sgRaNqGF/dVyAbu:JhM9RiLiK3nsha4TgRUqcVySu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2448	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	3d39fec35a5f452c0db148cbd14b4714_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2448	3060	3d39fec35a5f452c0db148cbd14b4714_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2448	3060	3d39fec35a5f452c0db148cbd14b4714_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2448	3060	3d39fec35a5f452c0db148cbd14b4714_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2356	2448	server.exe	31
PID 2448 wrote to memory of 2356	2448	server.exe	31
PID 2448 wrote to memory of 2356	2448	server.exe	31

C:\Users\Admin\AppData\Local\Temp\3d39fec35a5f452c0db148cbd14b4714_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d39fec35a5f452c0db148cbd14b4714_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    C:\Users\Admin\AppData\Local\Temp\server.exe
    3⤵
    PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
91KB

MD5
f6605223111ea57da8b91de112d04e78

SHA1
8d8cf0134cf4cb0511a12059a9a528d708eb3338

SHA256
181c8461a1b840b8d0a853c801c065a5b807e860ff18b6813031e147c2c07754

SHA512
b80b7415bcbb68c0dbe4a48092493728bd2f866ba4d25b49106782623a9264af037e68586bcb7f995fe6f38e5ba1d8a56e067ebf6310261c223f5dfee67c81d5

Download Submit
memory/2448-11-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2448-10-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2448-12-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2448-13-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download
memory/3060-0-0x000007FEF63DE000-0x000007FEF63DF000-memory.dmp

Filesize
4KB

Download
memory/3060-1-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download
memory/3060-2-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download
memory/3060-6-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download
memory/3060-9-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download