3e36a15a0369490e1ee6c0c1228946f2e3f18b6026005cfffd906d777642f2a4

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 08:31

Target

49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe
Size

681KB
MD5

49011d3e6f980bc6ddf0c323a5a3b379
SHA1

8db6eee086980a25c726380f979b97eed9b2abbb
SHA256

3e36a15a0369490e1ee6c0c1228946f2e3f18b6026005cfffd906d777642f2a4
SHA512

56e69aa85f2ea6808a696dfe2c1e0cca91fd64d9b75dd782796b29214143df8b4c77bc80b16b53f5f0a8e537cb788462deb8449648fdf0b2a55331cf0780b585
SSDEEP

12288:IBzDnDutJ8myW+7kyP2Ybo7U3gVGBLuEkxG293E7/JrAlMC9n6fd23LZ2:IB3DuD8NWkkyero3GCurxH92rAlMCcVD

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
3036	File277.exe
2276	File277.exe

Loads dropped DLL 3 IoCs

pid	Process
2504	49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe
2504	49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe
2504	49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2504	49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe
2504	49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe
2504	49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 3036	2504	49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe	30
PID 2504 wrote to memory of 3036	2504	49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe	30
PID 2504 wrote to memory of 3036	2504	49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe	30
PID 2504 wrote to memory of 3036	2504	49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2276	2504	49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2276	2504	49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2276	2504	49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2276	2504	49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49011d3e6f980bc6ddf0c323a5a3b379_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Extract\File277.exe
  C:\Extract\File277.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Extract\File277.exe
  "C:\Extract\File277.exe"
  2⤵
  - Executes dropped EXE
  PID:2276

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Extract\File177.exe

Filesize
576KB

MD5
89337d4b3beabdd1be5a661c85e0047f

SHA1
e0feb039c75fce6cdf7573a66e4ae278ffff66d0

SHA256
cdba49747e78f25d2d794f835e1f18def2300b37f5a612f29480f81cf4b048bf

SHA512
73e1dad1e54431f9ced83b4d0802230916349ac81b15a404997a90519e679426879b172ff9bf1ab308c2fcb6e4503fad1a3a3c61894459bc660894b484f3f284

Download Submit
\Extract\File277.exe

Filesize
6KB

MD5
e8cb285d84d57314371c96aa62b436ca

SHA1
2bd5681359a639d932b2d0a4c6fd6a1897d7c51f

SHA256
e8adf438f412054edfd011464a946df2fbb2a3edb44b2237a9aced1ec44c21bd

SHA512
1910ce4f919eb47fe277d93fff86fb62d27773a59d72c28f509d35019a87a6448339553ab79687cdebf132d3e785ad6fa942497b18bcb572a17452df588ea864

Download Submit
memory/2504-16-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download