3dc5a730c24693a7051a6ac70abfd550c468ce5149d1481f1442a5294f35a9ac

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe
Size

216KB
MD5

3fb76896ddf8edd57e2759c7fbc4d3b1
SHA1

4cb1ae845ac3670a3d6d2f3a3dbf386ce419dfd4
SHA256

3dc5a730c24693a7051a6ac70abfd550c468ce5149d1481f1442a5294f35a9ac
SHA512

6b6a252575e20646085d747894a2ba14ae4ee3217ceb0650c67061d0b2895d1775071f38bd88480ef28df21b7216224c4bf2a62766b9d21a60ff627cebf66143
SSDEEP

6144:PUao/pNNfzgOuIwEZrg1t10oeKLH21ntTZq:sv/rNfJVwj1teKH2vtq

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
300	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2740	Remote.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2740 set thread context of 2300	2740	Remote.exe	33

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Remote.exe	3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe
File opened for modification	C:\Windows\Remote.exe	3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 300	2372	3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe	31
PID 2372 wrote to memory of 300	2372	3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe	31
PID 2372 wrote to memory of 300	2372	3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe	31
PID 2372 wrote to memory of 300	2372	3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe	31
PID 2740 wrote to memory of 2300	2740	Remote.exe	33
PID 2740 wrote to memory of 2300	2740	Remote.exe	33
PID 2740 wrote to memory of 2300	2740	Remote.exe	33
PID 2740 wrote to memory of 2300	2740	Remote.exe	33
PID 2740 wrote to memory of 2300	2740	Remote.exe	33
PID 2740 wrote to memory of 2300	2740	Remote.exe	33

C:\Users\Admin\AppData\Local\Temp\3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3fb76896ddf8edd57e2759c7fbc4d3b1_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\5990.bat
  2⤵
  - Deletes itself
  PID:300

C:\Windows\Remote.exe
C:\Windows\Remote.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe" 40294
  2⤵
  PID:2300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5990.bat

Filesize
226B

MD5
cb1f481bcf9917bf1df48b301535ea1e

SHA1
89fb043b5b29c80ef2ea03ebe386589d5f3df86b

SHA256
27bffc589872a00da38701e5117fd18673cd8106309401ff68f52d295cf4df01

SHA512
c0c65e23a52496107f75cc3cc6a37145f3346e8e346bbc7a0277805f35b485e4c5848134b4eaf152f7c1561b16a6eca3e7e43693df48b4bc3fe15e108d96ea0c

Download Submit
C:\Windows\Remote.exe

Filesize
216KB

MD5
3fb76896ddf8edd57e2759c7fbc4d3b1

SHA1
4cb1ae845ac3670a3d6d2f3a3dbf386ce419dfd4

SHA256
3dc5a730c24693a7051a6ac70abfd550c468ce5149d1481f1442a5294f35a9ac

SHA512
6b6a252575e20646085d747894a2ba14ae4ee3217ceb0650c67061d0b2895d1775071f38bd88480ef28df21b7216224c4bf2a62766b9d21a60ff627cebf66143

Download Submit
memory/2300-24-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2300-22-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2300-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2372-2-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2372-1-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2372-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2372-19-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2740-9-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2740-10-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2740-26-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download