8c15547bfca61fdb10749f239d8f4c9956054983bbf85ef83ff9750227441ba5

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe
Size

23KB
MD5

429f15cc348a4fde9efe7674918ad905
SHA1

a055bb652059fb58b8193033c4ad228ddd628a5d
SHA256

8c15547bfca61fdb10749f239d8f4c9956054983bbf85ef83ff9750227441ba5
SHA512

e8be894e23031196607af725f338dac195e44c3c4ed38afe768c69b35c124b2d8f04a0cd784752e2ab375fdb8ab7e794f026b88f8703ce056a7940f5bc068998
SSDEEP

384:uZiZ7ntrXGOuy6bkNIgeAo1Go0NQECpPQVFvA4FfqCQOsAWI4zuXJ6m1XVlt1:AYrXxi3x1Go+z0QzrJRQRAWIquXI4H

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2752	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2836	PING.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1940	429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2752	1940	429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe	32
PID 1940 wrote to memory of 2752	1940	429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe	32
PID 1940 wrote to memory of 2752	1940	429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe	32
PID 1940 wrote to memory of 2752	1940	429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe	32
PID 2752 wrote to memory of 2836	2752	cmd.exe	34
PID 2752 wrote to memory of 2836	2752	cmd.exe	34
PID 2752 wrote to memory of 2836	2752	cmd.exe	34
PID 2752 wrote to memory of 2836	2752	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c echo ping 127.1 -n 3 >nul 2>nul >c:\2.bat&echo del "C:\Users\Admin\AppData\Local\Temp\429f15cc348a4fde9efe7674918ad905_JaffaCakes118.exe">>c:\2.bat&echo del c:\2.bat>>c:\2.bat&c:\2.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 3
    3⤵
    - Runs ping.exe
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2.bat

Filesize
124B

MD5
e5a7ffe249a66b1af2d80fdc25856377

SHA1
ea23e2d7c3d84394ec35e5b34a425925dbe732fb

SHA256
06c562b3e423398118c55dfeb7d23ed0b31d5d97ec04592830b7a1161752f972

SHA512
8cbd95fa5d00f27d38af333664aaa3d9ac26438b0a52178a9994eaa7e1ce7a71781339cc55c9a0ce3ffd20e4e4a29a338f4b902aa76e4166540ef7e2188086c7

Download Submit
memory/1940-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1940-1-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1940-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1940-5-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1940-6-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1940-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download