1d8bb46328d4a631196242c07941028c9bee0ae9236653ffc3d61cba3f209aea

Analysis

max time kernel
13s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 02:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4c80781ecc472105c238b7b992a4113a_JaffaCakes118.exe
Size

127KB
MD5

4c80781ecc472105c238b7b992a4113a
SHA1

90a801b6e45b9580993156888fbcb1cd17b41ce0
SHA256

1d8bb46328d4a631196242c07941028c9bee0ae9236653ffc3d61cba3f209aea
SHA512

ea3940c95e8c9a94e5e73ba039e35c90610596bf1bc1937e6d23ce3e699e690fddc012b03acae94034377bbecb4d97c78cbdb73ee93ac5fc13e83af1ab8a052b
SSDEEP

3072:F/ZhdAfXWcjqwcsjmidQAFA4gax3LHELFzfIohj:FhhdAsh6JJA4gM3LEL7j

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2700	CryptedFile.exe
2816	CryptedFile.exe

Loads dropped DLL 1 IoCs

pid	Process
2700	CryptedFile.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 2816	2700	CryptedFile.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2816	CryptedFile.exe
2816	CryptedFile.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2700	CryptedFile.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2700	2064	4c80781ecc472105c238b7b992a4113a_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2700	2064	4c80781ecc472105c238b7b992a4113a_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2700	2064	4c80781ecc472105c238b7b992a4113a_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2700	2064	4c80781ecc472105c238b7b992a4113a_JaffaCakes118.exe	29
PID 2700 wrote to memory of 2816	2700	CryptedFile.exe	31
PID 2700 wrote to memory of 2816	2700	CryptedFile.exe	31
PID 2700 wrote to memory of 2816	2700	CryptedFile.exe	31
PID 2700 wrote to memory of 2816	2700	CryptedFile.exe	31
PID 2700 wrote to memory of 2816	2700	CryptedFile.exe	31
PID 2700 wrote to memory of 2816	2700	CryptedFile.exe	31
PID 2700 wrote to memory of 2816	2700	CryptedFile.exe	31
PID 2700 wrote to memory of 2816	2700	CryptedFile.exe	31
PID 2816 wrote to memory of 1216	2816	CryptedFile.exe	20
PID 2816 wrote to memory of 1216	2816	CryptedFile.exe	20
PID 2816 wrote to memory of 1216	2816	CryptedFile.exe	20
PID 2816 wrote to memory of 1216	2816	CryptedFile.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\4c80781ecc472105c238b7b992a4113a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4c80781ecc472105c238b7b992a4113a_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe
    "C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe
      C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CryptedFile.exe

Filesize
84KB

MD5
7a1426bf71611f6382262e0b2cff7439

SHA1
7f7ef3e5f2c42d816e5cca797eabd3910749e803

SHA256
046d3a0d423236bfeb79559d77d51ffa65088d5ca03e28c2dd8e80ade49ad157

SHA512
1bc03c96148a3736808bd1de454a06f976f60e5b557c6d40ac5be79b3378db1ef9f5610b9f8629568bccc1174fcdff2f91084fd988d995b6fe23d091b4ee1936

Download Submit
memory/1216-31-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1216-28-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/2064-17-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-0-0x000007FEF588E000-0x000007FEF588F000-memory.dmp

Filesize
4KB

Download
memory/2064-1-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-2-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-3-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2700-26-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2700-23-0x0000000000480000-0x00000000004B9000-memory.dmp

Filesize
228KB

Download
memory/2700-15-0x000000000042D000-0x000000000042E000-memory.dmp

Filesize
4KB

Download
memory/2700-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2700-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2816-19-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2816-24-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2816-27-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2816-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download