c920c5c4f7b71c16aacfddc895cae009a222520ffab21ee19017256d87e1a26d

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
Size

120KB
MD5

46143d2dcb939fe3cce62ea2c8401aec
SHA1

6d9b033fc1571793a90f9e4d99305e3f137dd811
SHA256

c920c5c4f7b71c16aacfddc895cae009a222520ffab21ee19017256d87e1a26d
SHA512

00e0bb6db40c5b7c111cfd3f3d3923213ccf9c76d00802f1b06aea35e4eee66a3ccdfdd264d110e25cad6636a40eb87866ffea0d4e869aec2cb34a13d312d560
SSDEEP

3072:hGN9qJK8zxBf/+L8Cabilf6N4wT6o8K8GthgB/w:W9ixBebaE65

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1484	snss.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\snss1.exe	46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
File created	C:\Windows\snss.lnk	46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
File opened for modification	C:\Windows\ff.bat	46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
File created	C:\Windows\snss.exe	cmd.exe
File opened for modification	C:\Windows\snss.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2236	taskkill.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
2960	PING.EXE
2724	PING.EXE
2580	PING.EXE
2708	PING.EXE
2776	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	taskkill.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2784	2312	46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe	30
PID 2312 wrote to memory of 2784	2312	46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe	30
PID 2312 wrote to memory of 2784	2312	46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe	30
PID 2312 wrote to memory of 2784	2312	46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2776	2784	cmd.exe	32
PID 2784 wrote to memory of 2776	2784	cmd.exe	32
PID 2784 wrote to memory of 2776	2784	cmd.exe	32
PID 2784 wrote to memory of 2776	2784	cmd.exe	32
PID 2784 wrote to memory of 2960	2784	cmd.exe	33
PID 2784 wrote to memory of 2960	2784	cmd.exe	33
PID 2784 wrote to memory of 2960	2784	cmd.exe	33
PID 2784 wrote to memory of 2960	2784	cmd.exe	33
PID 2784 wrote to memory of 2724	2784	cmd.exe	34
PID 2784 wrote to memory of 2724	2784	cmd.exe	34
PID 2784 wrote to memory of 2724	2784	cmd.exe	34
PID 2784 wrote to memory of 2724	2784	cmd.exe	34
PID 2784 wrote to memory of 2580	2784	cmd.exe	35
PID 2784 wrote to memory of 2580	2784	cmd.exe	35
PID 2784 wrote to memory of 2580	2784	cmd.exe	35
PID 2784 wrote to memory of 2580	2784	cmd.exe	35
PID 2784 wrote to memory of 2708	2784	cmd.exe	36
PID 2784 wrote to memory of 2708	2784	cmd.exe	36
PID 2784 wrote to memory of 2708	2784	cmd.exe	36
PID 2784 wrote to memory of 2708	2784	cmd.exe	36
PID 2784 wrote to memory of 2236	2784	cmd.exe	37
PID 2784 wrote to memory of 2236	2784	cmd.exe	37
PID 2784 wrote to memory of 2236	2784	cmd.exe	37
PID 2784 wrote to memory of 2236	2784	cmd.exe	37
PID 2784 wrote to memory of 1484	2784	cmd.exe	39
PID 2784 wrote to memory of 1484	2784	cmd.exe	39
PID 2784 wrote to memory of 1484	2784	cmd.exe	39
PID 2784 wrote to memory of 1484	2784	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ff.bat
  2⤵
  - Deletes itself
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2776
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2960
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2724
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2580
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im snss.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\snss.exe
    "C:\Windows\snss.exe"
    3⤵
    - Executes dropped EXE
    PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ff.bat

Filesize
581B

MD5
df0dcc0c8115b89296f85865537891c7

SHA1
a107b1947f6095c984df2639f148d699cdf86b66

SHA256
94d454be9f4bddf2bed180881bb90b75c6eb4c8f3b87b0960c8057ecdae87020

SHA512
870c34fa985f8ee2d683e261fce78e3b59da494f36d54ee52bc1bb6191233c8ba6b8aeb334bd09b11d783a9673b9d52358d1a63782a1e6d075348040490b6a73

Download Submit
C:\Windows\snss.lnk

Filesize
1KB

MD5
5d7615797529e6dd071408b25e1237fd

SHA1
d3c4519a655f5c1d5159ee24e69dcf4b21b45f56

SHA256
92728ad86d08de628ac876ad263e08d1f74a7df48bb01e9937e4ad801315c1a8

SHA512
5321fc66cfb93ae135aed155b823576fb65d5e468dfc7ed31167550305aa3ffbe0a15e2028c564e0c469ecf1baa4897007570d179496a335f507c09477743e29

Download Submit
C:\Windows\snss1.exe

Filesize
120KB

MD5
46143d2dcb939fe3cce62ea2c8401aec

SHA1
6d9b033fc1571793a90f9e4d99305e3f137dd811

SHA256
c920c5c4f7b71c16aacfddc895cae009a222520ffab21ee19017256d87e1a26d

SHA512
00e0bb6db40c5b7c111cfd3f3d3923213ccf9c76d00802f1b06aea35e4eee66a3ccdfdd264d110e25cad6636a40eb87866ffea0d4e869aec2cb34a13d312d560

Download Submit
memory/1484-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2312-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download