c920c5c4f7b71c16aacfddc895cae009a222520ffab21ee19017256d87e1a26d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
Size

120KB
MD5

46143d2dcb939fe3cce62ea2c8401aec
SHA1

6d9b033fc1571793a90f9e4d99305e3f137dd811
SHA256

c920c5c4f7b71c16aacfddc895cae009a222520ffab21ee19017256d87e1a26d
SHA512

00e0bb6db40c5b7c111cfd3f3d3923213ccf9c76d00802f1b06aea35e4eee66a3ccdfdd264d110e25cad6636a40eb87866ffea0d4e869aec2cb34a13d312d560
SSDEEP

3072:hGN9qJK8zxBf/+L8Cabilf6N4wT6o8K8GthgB/w:W9ixBebaE65

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
436	snss.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\snss.lnk	46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
File opened for modification	C:\Windows\ff.bat	46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
File created	C:\Windows\snss.exe	cmd.exe
File opened for modification	C:\Windows\snss.exe	cmd.exe
File opened for modification	C:\Windows\snss1.exe	46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
808	taskkill.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
4776	PING.EXE
4596	PING.EXE
1928	PING.EXE
1468	PING.EXE
2916	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	808	taskkill.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 1684	1268	46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe	84
PID 1268 wrote to memory of 1684	1268	46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe	84
PID 1268 wrote to memory of 1684	1268	46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe	84
PID 1684 wrote to memory of 4776	1684	cmd.exe	86
PID 1684 wrote to memory of 4776	1684	cmd.exe	86
PID 1684 wrote to memory of 4776	1684	cmd.exe	86
PID 1684 wrote to memory of 4596	1684	cmd.exe	89
PID 1684 wrote to memory of 4596	1684	cmd.exe	89
PID 1684 wrote to memory of 4596	1684	cmd.exe	89
PID 1684 wrote to memory of 1928	1684	cmd.exe	90
PID 1684 wrote to memory of 1928	1684	cmd.exe	90
PID 1684 wrote to memory of 1928	1684	cmd.exe	90
PID 1684 wrote to memory of 1468	1684	cmd.exe	91
PID 1684 wrote to memory of 1468	1684	cmd.exe	91
PID 1684 wrote to memory of 1468	1684	cmd.exe	91
PID 1684 wrote to memory of 2916	1684	cmd.exe	92
PID 1684 wrote to memory of 2916	1684	cmd.exe	92
PID 1684 wrote to memory of 2916	1684	cmd.exe	92
PID 1684 wrote to memory of 808	1684	cmd.exe	93
PID 1684 wrote to memory of 808	1684	cmd.exe	93
PID 1684 wrote to memory of 808	1684	cmd.exe	93
PID 1684 wrote to memory of 436	1684	cmd.exe	95
PID 1684 wrote to memory of 436	1684	cmd.exe	95
PID 1684 wrote to memory of 436	1684	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\46143d2dcb939fe3cce62ea2c8401aec_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\ff.bat
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4776
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4596
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1928
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1468
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im snss.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:808
- - C:\Windows\snss.exe
    "C:\Windows\snss.exe"
    3⤵
    - Executes dropped EXE
    PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ff.bat

Filesize
581B

MD5
df0dcc0c8115b89296f85865537891c7

SHA1
a107b1947f6095c984df2639f148d699cdf86b66

SHA256
94d454be9f4bddf2bed180881bb90b75c6eb4c8f3b87b0960c8057ecdae87020

SHA512
870c34fa985f8ee2d683e261fce78e3b59da494f36d54ee52bc1bb6191233c8ba6b8aeb334bd09b11d783a9673b9d52358d1a63782a1e6d075348040490b6a73

Download Submit
C:\Windows\snss.lnk

Filesize
1KB

MD5
8370b2e0c1cb4e1b5db16168684ca13d

SHA1
449fd15ff029621ef095bbdf6994276eb5afc8a1

SHA256
e15b38b0b7a66399a6ae32dae6b1590e54f83eb5ca642f5e8b231dceb2cc10ff

SHA512
52af3d0aff0745093aa839c412dbbe6789aa31b8548631073e4657aad9e7d5484b452830b187c76a9790000b378a8c0b019d24ed752d74b3a2bdea3c8d8f2da2

Download Submit
C:\Windows\snss1.exe

Filesize
120KB

MD5
46143d2dcb939fe3cce62ea2c8401aec

SHA1
6d9b033fc1571793a90f9e4d99305e3f137dd811

SHA256
c920c5c4f7b71c16aacfddc895cae009a222520ffab21ee19017256d87e1a26d

SHA512
00e0bb6db40c5b7c111cfd3f3d3923213ccf9c76d00802f1b06aea35e4eee66a3ccdfdd264d110e25cad6636a40eb87866ffea0d4e869aec2cb34a13d312d560

Download Submit
memory/436-15-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1268-6-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download