8da0c9acce7dad3e223b073090b620484194cfe40d88c6f2df966eaa673dc32d

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 12:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

41a6be2e3028597b5c2eebeca50f89f8_JaffaCakes118.exe
Size

133KB
MD5

41a6be2e3028597b5c2eebeca50f89f8
SHA1

a789003ef80b4f462cee6064aca00632d200171a
SHA256

8da0c9acce7dad3e223b073090b620484194cfe40d88c6f2df966eaa673dc32d
SHA512

51d0f5744a94f238bbeb17bd258f40eaf09196630c5756f11f23850fadd22e1f202e33df0749b2d2d23ba09a82f5c8e20102e44a8692cde0ca8069b18d608f18
SSDEEP

3072:U1vjutlLWIXxnH+ypSXBKBlJp2ex2qwije:UFjBIXVL0BiGsw

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XCEJWRHGL.lnk	41a6be2e3028597b5c2eebeca50f89f8_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2624	NQOKSO

Loads dropped DLL 3 IoCs

pid	Process
1900	41a6be2e3028597b5c2eebeca50f89f8_JaffaCakes118.exe
1900	41a6be2e3028597b5c2eebeca50f89f8_JaffaCakes118.exe
1900	41a6be2e3028597b5c2eebeca50f89f8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2624	1900	41a6be2e3028597b5c2eebeca50f89f8_JaffaCakes118.exe	31
PID 1900 wrote to memory of 2624	1900	41a6be2e3028597b5c2eebeca50f89f8_JaffaCakes118.exe	31
PID 1900 wrote to memory of 2624	1900	41a6be2e3028597b5c2eebeca50f89f8_JaffaCakes118.exe	31
PID 1900 wrote to memory of 2624	1900	41a6be2e3028597b5c2eebeca50f89f8_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\41a6be2e3028597b5c2eebeca50f89f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41a6be2e3028597b5c2eebeca50f89f8_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\NQOKSO
  "C:\Users\Admin\AppData\Local\Temp\NQOKSO"
  2⤵
  - Executes dropped EXE
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\CXCWLVHXD.exe

Filesize
99KB

MD5
6d55255ecd37fe4835c5185d8ab88f72

SHA1
2792369d2ea37c3045b7a70855b50b57f50902cb

SHA256
8eb8d66bd7bb20dab0f521a483bbf6b33929667a315003048649bebdab9e1d44

SHA512
188d1e1c9f4acd8cb2be2c2b7cc9066a99b450d7a0db36d6bf8221e5a4acf56fef9584f30a9c5bf9f5228b18f72c21846798937a2deac1c08a6a6a040465b897

Download Submit
\Users\Admin\AppData\Local\Temp\NQOKSO

Filesize
34KB

MD5
469c40e2937b03773ee7136ed56b19f0

SHA1
9f76e2b4ef0ad02d707c1cf138425957f42e4df3

SHA256
c8ec1d35d9b1677a3924aaa0620cb1ec531f7a14e1ee5859cfb9c67db2889d8e

SHA512
6355fa28d03a1e8467b6bf7237642b079e01bbee5cb83be1df2ba76ce5358aa41544b8b102f4c8bef437a73545dabe9503de7a2f1a83762773655cf8853c6aee

Download Submit
memory/1900-22-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download