Overview

overview

7

Static

static

3

49cb8966ef...18.exe

windows7-x64

7

49cb8966ef...18.exe

windows10-2004-x64

7

$PLUGINSDI...nu.dll

windows7-x64

3

$PLUGINSDI...nu.dll

windows10-2004-x64

3

$TEMP/PlayMe.exe

windows7-x64

3

$TEMP/PlayMe.exe

windows10-2004-x64

3

Uninstall.exe

windows7-x64

7

Uninstall.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 12:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    49cb8966eff77f732b40d852cb79c380_JaffaCakes118.exe

  • Size

    148KB

  • MD5

    49cb8966eff77f732b40d852cb79c380

  • SHA1

    5665057e803ccacfa8ca3facda766759b6cc9d12

  • SHA256

    24e851ab58fa7b4fa63262424f07afe86208c587d77762266a010daf5c40d9f4

  • SHA512

    fd33de81282014c865c453c793a789bcc05ac130f09e447544d78f987a988ffbf2df9ca566eb588881ebf4178ea8f18313c53137addb5aea7392dc4db5fc9146

  • SSDEEP

    3072:SPg729btBovpvw6RkMcXwcTaufYsy/nKTitKlWCDETIU:wI2F4hvwQJUfAsInqlNA

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49cb8966eff77f732b40d852cb79c380_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\49cb8966eff77f732b40d852cb79c380_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Users\Admin\AppData\Local\Temp\PlayMe.exe
      C:\Users\Admin\AppData\Local\Temp\PlayMe.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 324
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2900

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Local\Temp\PlayMe.exe
          Filesize

          90KB

          MD5

          790a8d36746004f13bb7f7978c43a530

          SHA1

          2b55413f9732ae9d6945f8421348ba8bfb4aeedb

          SHA256

          d22557c3d0defdf899f6f8162d108975723640e883ad186aceb11631d62ca294

          SHA512

          698ee549344deeb7033afb9806c84af85a401d406f742310317154af67ba9951863c9708e056625c0e73359edacdc924fbc18b38545609f1ce922a74bbe0405c

          Download Submit

        • memory/2708-19-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

          Download

        • memory/3052-14-0x0000000000250000-0x000000000026B000-memory.dmp

          Filesize

          108KB

          Download

        • memory/3052-15-0x0000000000250000-0x000000000026B000-memory.dmp

          Filesize

          108KB

          Download