91fef3e033e4e98a05b8192d6597c31ae8172eb75413d689fa078ad7ad3f38a4

Analysis

max time kernel
94s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4baa0ab42f36911fe0060d748ac8048f_JaffaCakes118.exe
Size

335KB
MD5

4baa0ab42f36911fe0060d748ac8048f
SHA1

535befb72b626089f072f8cf19f2965282f5ccda
SHA256

91fef3e033e4e98a05b8192d6597c31ae8172eb75413d689fa078ad7ad3f38a4
SHA512

fbf65089f232a682b15b30ff2a65729d5c9bfb95e1f177480366c71ce21f3870d65007f2155f25b8e88cb01dd530a8f17f8990b840e835052869efa5342586a8
SSDEEP

6144:2lf39DpW/OMZ9tukERiDVOgi2O48CqdgbH9dSJEm98Mob8d4ldUP:2lvrW/RtukNDMz43qgEEm2nQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4408	cyberlink-powerdirector-8.00.3022.exe

Loads dropped DLL 1 IoCs

pid	Process
920	4baa0ab42f36911fe0060d748ac8048f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4408	cyberlink-powerdirector-8.00.3022.exe
4408	cyberlink-powerdirector-8.00.3022.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 4408	920	4baa0ab42f36911fe0060d748ac8048f_JaffaCakes118.exe	84
PID 920 wrote to memory of 4408	920	4baa0ab42f36911fe0060d748ac8048f_JaffaCakes118.exe	84
PID 920 wrote to memory of 4408	920	4baa0ab42f36911fe0060d748ac8048f_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\4baa0ab42f36911fe0060d748ac8048f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4baa0ab42f36911fe0060d748ac8048f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\cyberlink-powerdirector-8.00.3022.exe
  "C:\Users\Admin\AppData\Local\Temp\cyberlink-powerdirector-8.00.3022.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cyberlink-powerdirector-8.00.3022.exe

Filesize
417KB

MD5
a6a4696c41f2d08221d3ead88dbacf36

SHA1
95bac13b99ef30f772ad26e3addf609cebb866a3

SHA256
3ddd8e540dda57007c9d5817954e0992f983cf243e2d167892378344a40047e4

SHA512
ccbb50e4518bb3602ce13179644f13cbc0771fff61f4511a8ea70287231fae289eea0a2971559c64300da2575f347e6e577742981af86076132982d3337d2349

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx983A.tmp\NSISdl.dll

Filesize
72KB

MD5
146f66baf9d049735cc35f83bed40994

SHA1
efac0e51d71524ab69c17f8d329958772d6586b0

SHA256
3453eb3506515053af667f2f07c4d84acf165e94f6ee1764d9711b0313d9e6eb

SHA512
9ae7d511f70e6af4802e516c43bccb758b15cd01aaf0c1137fc7f3875307ff512478d4529685834fc311b3073e02e569597315a8b458a125860e01b66b21ccf3

Download Submit
memory/920-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download