f6594f9cb285e3d8035e6e7ee044a689e3d39b67c2a57fa3f8f23088c37d4c28

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a8c0d516a7936248acc6115096c0327_JaffaCakes118.exe
Size

412KB
MD5

4a8c0d516a7936248acc6115096c0327
SHA1

cc4ee08736f3d4de66e9713793602cc6fbcf802e
SHA256

f6594f9cb285e3d8035e6e7ee044a689e3d39b67c2a57fa3f8f23088c37d4c28
SHA512

053906ad5af0039da4030bd48c28a88baae8791b0cb785d33f9d67a250b25394b191aa5a930c16482f4fd698a2a471a32d01d64e9f1469f3a2d2d7c84f4a21ae
SSDEEP

12288:fv+nb6fSzABD2W1kSRkqIuZ/wazPUkni:fqGqz82UkSqM/rU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
456	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2644	faumcm.exe

Loads dropped DLL 3 IoCs

pid	Process
456	cmd.exe
456	cmd.exe
2644	faumcm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1108	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2812	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1108	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe
2644	faumcm.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 456	2368	4a8c0d516a7936248acc6115096c0327_JaffaCakes118.exe	29
PID 2368 wrote to memory of 456	2368	4a8c0d516a7936248acc6115096c0327_JaffaCakes118.exe	29
PID 2368 wrote to memory of 456	2368	4a8c0d516a7936248acc6115096c0327_JaffaCakes118.exe	29
PID 2368 wrote to memory of 456	2368	4a8c0d516a7936248acc6115096c0327_JaffaCakes118.exe	29
PID 456 wrote to memory of 1108	456	cmd.exe	31
PID 456 wrote to memory of 1108	456	cmd.exe	31
PID 456 wrote to memory of 1108	456	cmd.exe	31
PID 456 wrote to memory of 1108	456	cmd.exe	31
PID 456 wrote to memory of 2812	456	cmd.exe	33
PID 456 wrote to memory of 2812	456	cmd.exe	33
PID 456 wrote to memory of 2812	456	cmd.exe	33
PID 456 wrote to memory of 2812	456	cmd.exe	33
PID 456 wrote to memory of 2644	456	cmd.exe	34
PID 456 wrote to memory of 2644	456	cmd.exe	34
PID 456 wrote to memory of 2644	456	cmd.exe	34
PID 456 wrote to memory of 2644	456	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\4a8c0d516a7936248acc6115096c0327_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a8c0d516a7936248acc6115096c0327_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2368 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\4a8c0d516a7936248acc6115096c0327_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\faumcm.exe -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 2368
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1108
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:2812
- - C:\Users\Admin\AppData\Local\faumcm.exe
    C:\Users\Admin\AppData\Local\faumcm.exe -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\faumcm.exe

Filesize
412KB

MD5
4a8c0d516a7936248acc6115096c0327

SHA1
cc4ee08736f3d4de66e9713793602cc6fbcf802e

SHA256
f6594f9cb285e3d8035e6e7ee044a689e3d39b67c2a57fa3f8f23088c37d4c28

SHA512
053906ad5af0039da4030bd48c28a88baae8791b0cb785d33f9d67a250b25394b191aa5a930c16482f4fd698a2a471a32d01d64e9f1469f3a2d2d7c84f4a21ae

Download Submit
memory/2368-1-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2368-0-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2368-2-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2368-5-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2644-14-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2644-12-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2644-11-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2644-10-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2644-15-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2644-16-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2644-17-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2644-18-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2644-19-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2644-20-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2644-21-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2644-22-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download