2b88ce07a2a0e92dba8c045da70f81753d121104443549f82a16844b286f2deb

Analysis

max time kernel
123s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
Size

408KB
MD5

3ff524b4338d2f401259a7fccdfc1b17
SHA1

6afe63c39d798d6bc634347f281aec529087e66d
SHA256

2b88ce07a2a0e92dba8c045da70f81753d121104443549f82a16844b286f2deb
SHA512

d2937dad49e1e0b8cb23a02d90a2ff670a67fda7f095f774fe170615616b712d35dd13325ade3ec31ecd9c1e7643fb4759b1db0b0ae3f89726fe2378362e6890
SSDEEP

6144:C7mU1aYIXB/X09QDZgK58JULqTODz8NKYQeKhwjMj22DC9OqyzcUjsyUf3mnn:C7msQRX0U58CLUAYDiwjmOyotyU+nn

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2976	cmd.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\CurrentVersion\Info	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2976	2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe	29
PID 2304 wrote to memory of 2976	2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe	29
PID 2304 wrote to memory of 2976	2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe	29
PID 2304 wrote to memory of 2976	2304	3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ff524b4338d2f401259a7fccdfc1b17_JaffaCakes118.exe"
1⤵
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\rmeslf.bat
  2⤵
  - Deletes itself
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\rmeslf.bat

Filesize
232B

MD5
bf9c1e46ea65f8c2bfa0f675e577ce1e

SHA1
f8b97bfa7e2bc38c0c7a4df13b7d68ec40b5c0d2

SHA256
312c594125b31d684ddf793e86e8999f4d70a8df7e13abb05eafee01cc1a026a

SHA512
1858b57ea5a190816707e456df4c89bf28580aadf0b7c53062866b676ba34e8d62b249a6f2140b09bdbe365259ecd08166018b15a1fbe6313dbd8a40219b9fde

Download Submit