04abf69f8d852ee2069ac9adf109ae88fd4bb67219c08633357214e41e4db46c

Analysis

max time kernel
141s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

490503723f64966e61524897ba346943_JaffaCakes118.exe
Size

1.6MB
MD5

490503723f64966e61524897ba346943
SHA1

99efb2aeec31b4f94388c3f94627fb6c85e8cc3a
SHA256

04abf69f8d852ee2069ac9adf109ae88fd4bb67219c08633357214e41e4db46c
SHA512

8e5cf7e94315507de325935a9e3fa5ce12d2913277403250b92d140a8ccc4e61c7ddea62e3acf287b7cf3523d87785c521482df55705ae989b21b81028f9f8ec
SSDEEP

49152:/GtQGDjzGqR06oNGNCJ+AJoku8/j+ShxwDs:OtJ3GqqBNGNWAUkDs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5036	is-DBM3F.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 5036	2652	490503723f64966e61524897ba346943_JaffaCakes118.exe	85
PID 2652 wrote to memory of 5036	2652	490503723f64966e61524897ba346943_JaffaCakes118.exe	85
PID 2652 wrote to memory of 5036	2652	490503723f64966e61524897ba346943_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\490503723f64966e61524897ba346943_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\490503723f64966e61524897ba346943_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\is-9RFLQ.tmp\is-DBM3F.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9RFLQ.tmp\is-DBM3F.tmp" /SL4 $D0052 "C:\Users\Admin\AppData\Local\Temp\490503723f64966e61524897ba346943_JaffaCakes118.exe" 1407286 89600
  2⤵
  - Executes dropped EXE
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-9RFLQ.tmp\is-DBM3F.tmp

Filesize
694KB

MD5
7866fb2707b959dfc3a2a6db212e8e1a

SHA1
2a02b6f19c928d822cfcf424fcf8cca4df636352

SHA256
da7899ef1b95df5cacadb6372a57d220a2b01c937aefee9bd39c0f313094d305

SHA512
5cc330f7e2b78befd780bb7288db3cb555edc4b4e845d13617e544b8114724afd7a542eb4a1e628b5e63895d20170ea38f5014d7b1fc23e86081bd46a9f40459

Download Submit
memory/2652-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2652-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2652-17-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5036-7-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/5036-18-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download