855d6cdc493754816ce2fc87d124d4368773bc53422371d37bd6e2dff40295f9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4aa946674c0ca9299c8c4552901c6ef2_JaffaCakes118.exe
Size

299KB
MD5

4aa946674c0ca9299c8c4552901c6ef2
SHA1

52d32f1dafec73afcb3fc5b2c885eed46b4a9d7d
SHA256

855d6cdc493754816ce2fc87d124d4368773bc53422371d37bd6e2dff40295f9
SHA512

037d10a02038c28f5434c6a6a59c4b3409ca49e24caf09288548d4df8907fc06cfbf7e8c7122ac2b6146d24608a84707782afd7d257991e3bb7890f183a4e6d1
SSDEEP

6144:fpV+WdE0y/uiT1kS88MEfBpBS1lGhxoMJulw9KDYAaJo9yoSJ:zE0CuiT1h88FfBp8TGhxoMHKYxJowoS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
116	RemoteAbc.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\R_Server\RemoteAbc.exe	4aa946674c0ca9299c8c4552901c6ef2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
116	RemoteAbc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 1952	3456	4aa946674c0ca9299c8c4552901c6ef2_JaffaCakes118.exe	87
PID 3456 wrote to memory of 1952	3456	4aa946674c0ca9299c8c4552901c6ef2_JaffaCakes118.exe	87
PID 3456 wrote to memory of 1952	3456	4aa946674c0ca9299c8c4552901c6ef2_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\4aa946674c0ca9299c8c4552901c6ef2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4aa946674c0ca9299c8c4552901c6ef2_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\LRAUTB.bat
  2⤵
  PID:1952

C:\Program Files (x86)\R_Server\RemoteAbc.exe
"C:\Program Files (x86)\R_Server\RemoteAbc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\R_Server\RemoteAbc.exe

Filesize
299KB

MD5
4aa946674c0ca9299c8c4552901c6ef2

SHA1
52d32f1dafec73afcb3fc5b2c885eed46b4a9d7d

SHA256
855d6cdc493754816ce2fc87d124d4368773bc53422371d37bd6e2dff40295f9

SHA512
037d10a02038c28f5434c6a6a59c4b3409ca49e24caf09288548d4df8907fc06cfbf7e8c7122ac2b6146d24608a84707782afd7d257991e3bb7890f183a4e6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\LRAUTB.bat

Filesize
218B

MD5
b67672b5636c1f5b5d0ec6b59b6c89eb

SHA1
01fdb383591bb6e0790648698acececd9b435986

SHA256
ac7ef94024f400f0b8f8eea3c7f69c4f44ab6fa0c90cc9146f861310fe4520b9

SHA512
71fe84e00459f1e8ccdf10376d1f43961905ca2b2012269186a772f2d4cf92a2c74bdff7a11654edcb3500f75e8dd0b8be314371c4da0d180ad1498ef70a9536

Download Submit
memory/116-5-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/116-6-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/116-12-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/116-14-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/116-16-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/116-20-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/116-24-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/3456-0-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download
memory/3456-1-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/3456-10-0x0000000010000000-0x0000000010095000-memory.dmp

Filesize
596KB

Download