b0df06bd9436afd617d19ed33d8e3c9d0f99f88e3ddf31e560075c8be1e57e54

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47ac3735dc40868bde2a3d6c78f4710e_JaffaCakes118.exe
Size

205KB
MD5

47ac3735dc40868bde2a3d6c78f4710e
SHA1

b5709952f73bbdf627838a26517053cc981ed479
SHA256

b0df06bd9436afd617d19ed33d8e3c9d0f99f88e3ddf31e560075c8be1e57e54
SHA512

d5a2494024039e0f3dd4d9ae823369c331d6451612bf8306ea7f259204798e2feef9c79e9a0337c43a9b8abce3d83cdb8927a85af8b6df6639750696c1f9bed5
SSDEEP

6144:E89sWsOhfM9UCUmTWCMIv84ygTnFXCVjNRQb:59hN8XTWCFv9Fqjcb

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2480	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2388	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2388	AcroRd32.exe
2388	AcroRd32.exe
2388	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2480	2632	47ac3735dc40868bde2a3d6c78f4710e_JaffaCakes118.exe	31
PID 2632 wrote to memory of 2480	2632	47ac3735dc40868bde2a3d6c78f4710e_JaffaCakes118.exe	31
PID 2632 wrote to memory of 2480	2632	47ac3735dc40868bde2a3d6c78f4710e_JaffaCakes118.exe	31
PID 2632 wrote to memory of 2480	2632	47ac3735dc40868bde2a3d6c78f4710e_JaffaCakes118.exe	31
PID 2480 wrote to memory of 2388	2480	cmd.exe	33
PID 2480 wrote to memory of 2388	2480	cmd.exe	33
PID 2480 wrote to memory of 2388	2480	cmd.exe	33
PID 2480 wrote to memory of 2388	2480	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\47ac3735dc40868bde2a3d6c78f4710e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\47ac3735dc40868bde2a3d6c78f4710e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ldwc.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\.pdf"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.pdf

Filesize
122KB

MD5
884a1254978676cdb6cc849cd327a5a9

SHA1
6cee906350a9dbd38190fd3fafdcc7dc432c85a0

SHA256
3ce057263fc8e2b2fdab1077ee2dd13d3ceffeb47edae822b76b0c2cf8029723

SHA512
ba1ccc6eef50a169516065395f9caddde959ce0bddf0689e14da211347b159d26c5cd9886dbe92770a4cb19aaa0f15350cc806f04814d54b93918157421947e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldwc.bat

Filesize
30KB

MD5
7e09e23be4317f5d4d3c2c351efb2021

SHA1
f0836c65bf9a2ecb8d2a073745148d42aa7ace83

SHA256
85cc9b11a4a72642300ebbb64fa0ff751a0c907b85934ec4a91ecdec036754ce

SHA512
33666d4b13d078dd76ba5b89d2daf3b12559f89fffc37c862c2421865956164d27376c66697057c563b192a9ecd8474ead99d71e488154518d5e42ceb9e76732

Download Submit
C:\Users\Admin\AppData\Local\Temp\~awinhp.tmp

Filesize
80B

MD5
b5b6c3ff2817df6a63ce5bb1c2b90819

SHA1
2eeb7fdb73dd3e51980919d7b4f54b15e7e952b6

SHA256
0cf00ae4720bb30b6c1ca892c9438494c8970f15f7237b7b88c9ef2a75206464

SHA512
a00eb0eb596ef370a5b35a719f8bdea630a0d80dbaa7fae7524cead33a9cde986c41fe562ab90873353ade43983a881efabda7a136b8951486ab4e267cd2a761

Download Submit
C:\Users\Admin\AppData\Local\Temp\~awinhp.tmp

Filesize
4KB

MD5
2be064f48a055a26202c86fc075640eb

SHA1
c8bde7ea195c1ad7a15c7141d58310b3a6cc8858

SHA256
80816c46c49e47d4e048a6a00c1816b39b7c68de298fef029eade88f1592376a

SHA512
4ef352bd51fb25940f3064e8412df0f2b206758d478c2e1dc154783215b8a6e25d70d26d686815b6ab18a465d5860b73c349b50fc1c9eb258c46c30356f5b017

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
2d15a499d11039dabca7edc2a0c951b0

SHA1
a29058e5acac2fef0278341240964918c1d43567

SHA256
b939374843adccc689000c13efad9cc731516f0edd4ab8011f8e7d45204bc455

SHA512
95383ace4425f2e5962b6d3abff6db55392dbf648d636b1a40fa40701340bb372058808617e182e10cb166c989fe61b36dd3c6a687584a5a673ec04c757c821a

Download Submit