54dc610a93ed8ea0299f4605f1de55225df590deb24512c315cb46c3b65fc7c2

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40ae9c6292feac7a783d425852a289c7_JaffaCakes118.exe
Size

160KB
MD5

40ae9c6292feac7a783d425852a289c7
SHA1

2a54a111a457940d339bfc4f5f1440d10ccac6ea
SHA256

54dc610a93ed8ea0299f4605f1de55225df590deb24512c315cb46c3b65fc7c2
SHA512

dd3e435715ff406abad783707789c2446d3ca6788aaa87fb9179286221eb1a36b4254c912fec2a921ad7d7faf807f060ed2b5b569d8b93d1d646f91a3558aad8
SSDEEP

3072:RHvywZ1KMYJB3T4r2FS2dg1Q9dX+ChdJHnzq/edgGm2APkZzEoQtXzsXEUyovNTk:lyK1KvJ5y2FSK0+Jzh/mxkZQoQlsXmYm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2792	hg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\hg.exe	40ae9c6292feac7a783d425852a289c7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2776	2792	WerFault.exe	31

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2800	40ae9c6292feac7a783d425852a289c7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2792	2800	40ae9c6292feac7a783d425852a289c7_JaffaCakes118.exe	31
PID 2800 wrote to memory of 2792	2800	40ae9c6292feac7a783d425852a289c7_JaffaCakes118.exe	31
PID 2800 wrote to memory of 2792	2800	40ae9c6292feac7a783d425852a289c7_JaffaCakes118.exe	31
PID 2800 wrote to memory of 2792	2800	40ae9c6292feac7a783d425852a289c7_JaffaCakes118.exe	31
PID 2792 wrote to memory of 2776	2792	hg.exe	32
PID 2792 wrote to memory of 2776	2792	hg.exe	32
PID 2792 wrote to memory of 2776	2792	hg.exe	32
PID 2792 wrote to memory of 2776	2792	hg.exe	32

C:\Users\Admin\AppData\Local\Temp\40ae9c6292feac7a783d425852a289c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40ae9c6292feac7a783d425852a289c7_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\hg.exe
  "C:\Windows\hg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 36
    3⤵
    - Program crash
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\hg.exe

Filesize
142KB

MD5
930a0b78108b326da3dbc33efec102c2

SHA1
f79f09e824779cb88ac09bf4a8d7e8f4c7855462

SHA256
e2523105fcb1d2b70c6850fedcf43a5d138402447c825d959ec844ced97c2b28

SHA512
9c8497305c360fce2ff55352e3a296f0893cbf5335b182599cc799e5b0971439a6c2b33d450d08864cec1f6aae8454b24a5045138548b485e34bc84a2cbe7153

Download Submit
memory/2792-10-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2800-1-0x0000000000400000-0x000000000042B200-memory.dmp

Filesize
172KB

Download
memory/2800-9-0x0000000002800000-0x0000000002864000-memory.dmp

Filesize
400KB

Download
memory/2800-8-0x0000000002800000-0x0000000002864000-memory.dmp

Filesize
400KB

Download
memory/2800-11-0x0000000000400000-0x000000000042B200-memory.dmp

Filesize
172KB

Download