fbce87894f475246cfdb5efed06614f174fd6345f58eaa67020635a296f3e84a

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/07/2024, 23:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

599d22017f850968d0ec29e42accfe9b_JaffaCakes118.exe
Size

198KB
MD5

599d22017f850968d0ec29e42accfe9b
SHA1

9ca5d288344c3e925ad19433dfa4107c2ba7b812
SHA256

fbce87894f475246cfdb5efed06614f174fd6345f58eaa67020635a296f3e84a
SHA512

338971a86580a004fb25345b3e2c7353d4a8092ebe3797b4d51a3b0c6d5d5686f2f5de0aacaa875fe07914af75dd885505fdc1b83ca1c3095315fd169a511b03
SSDEEP

6144:OME1nmg1tDbJ5621YNdHJocb7FskF0mvnxyFKyH:HgnJfQ7Fbt8FJH

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2676	599d22017f850968d0ec29e42accfe9b_JaffaCakes118.exe
Token: SeBackupPrivilege	2676	599d22017f850968d0ec29e42accfe9b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2544	2676	599d22017f850968d0ec29e42accfe9b_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2544	2676	599d22017f850968d0ec29e42accfe9b_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2544	2676	599d22017f850968d0ec29e42accfe9b_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2544	2676	599d22017f850968d0ec29e42accfe9b_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2544	2676	599d22017f850968d0ec29e42accfe9b_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2544	2676	599d22017f850968d0ec29e42accfe9b_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2544	2676	599d22017f850968d0ec29e42accfe9b_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\599d22017f850968d0ec29e42accfe9b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\599d22017f850968d0ec29e42accfe9b_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\temp\ipsec.bat" "
  2⤵
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\ipsec.bat

Filesize
77KB

MD5
29340174fa86ea9625fd8c61c04e18f4

SHA1
96986a8d0a0b0fc4f43d69337efbfaa2ada055a0

SHA256
b9fd8478ab88e422b7a7ca4f1a239ef04e9bc3c697a149f6191ead8c46947732

SHA512
d2edba37197a9fae529a4e5b46cc2127bad582ddfb1f9df8bf579f1b4de87f9e773c4addd573382719b1f0b28c7e4dc509796852385b9c4a1751b8d148bafb1e

Download Submit
memory/2676-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download