5f31cb90c84c93b56f61c37f332948576e124021a60439341d0e61868de90039

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14-07-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46f499ebb25b292f0fc3323de2686b83_JaffaCakes118.exe
Size

320KB
MD5

46f499ebb25b292f0fc3323de2686b83
SHA1

2a4a0af6fa31fcdd8efec516d5dbd5138d6244c6
SHA256

5f31cb90c84c93b56f61c37f332948576e124021a60439341d0e61868de90039
SHA512

b118a2ad2cb47262ccdd7c1711a1393861c4689f52f7ad89be15eba3f13023e46f05b7c082fa25132b23b0fbe74af2ccf498e5d743d1db609e00295039f0abb9
SSDEEP

6144:+SB1Ed0h/CB5OVhc97oOWm/CdRIXlHePEZizQdkFVukaeVdz3Tjfn0yBV:+81Ed0hYcVhlOTCUXl+PEZikUViYlnVr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2172	FFCImage.exe

Loads dropped DLL 2 IoCs

pid	Process
1972	46f499ebb25b292f0fc3323de2686b83_JaffaCakes118.exe
1972	46f499ebb25b292f0fc3323de2686b83_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2172	1972	46f499ebb25b292f0fc3323de2686b83_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2172	1972	46f499ebb25b292f0fc3323de2686b83_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2172	1972	46f499ebb25b292f0fc3323de2686b83_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2172	1972	46f499ebb25b292f0fc3323de2686b83_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2172	1972	46f499ebb25b292f0fc3323de2686b83_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2172	1972	46f499ebb25b292f0fc3323de2686b83_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2172	1972	46f499ebb25b292f0fc3323de2686b83_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\46f499ebb25b292f0fc3323de2686b83_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\46f499ebb25b292f0fc3323de2686b83_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\FFCImage.exe
  "C:\Users\Admin\AppData\Local\Temp\FFCImage.exe"
  2⤵
  - Executes dropped EXE
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\xs1092.txt

Filesize
72B

MD5
dff811eaffc442e0d2ed17d847e02768

SHA1
2a3ba79c5b2e317622bb91aa370a85430248ee93

SHA256
8963db19c5268736f0900a68f047efe32a29fcfdb5a7053f25eaae6b1eb90ba1

SHA512
f6535f75af3f50c35429d7c865178440548a2d51b42a4e9a1c648afcbc0bc6e6adcb38118f82b4a7d6e8769c6867e432f62d2d8ac1646832e4afd0b4450c21cb

Download Submit
\Users\Admin\AppData\Local\Temp\FFCImage.exe

Filesize
547KB

MD5
8cf33b15214242d31d70be8d43237b78

SHA1
c1c3e08b7bdc7ac1c9c5ecfe1ca918d913fafafb

SHA256
9dbc6de0145b24dbb8ef653b35c5258e2407ff4e21858f5969784664887ca50f

SHA512
468a05c4602106effca9f90e92af0816024f99334abfa9ad354e5d83574d4d778a297d3566592b301571d7e166108942e422a4e81965c87e6393ef7c694d04e4

Download Submit
memory/2172-10-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2172-19-0x0000000001140000-0x00000000011CE000-memory.dmp

Filesize
568KB

Download