5a5e803cc629c215fe97cf4b0a7ef0155768d65fa65705d55848eea2ebce8d75

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 03:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5a4d4fd803279e474d73c2d6d4fa6a10_JaffaCakes118.exe
Size

328KB
MD5

5a4d4fd803279e474d73c2d6d4fa6a10
SHA1

73d97dca7edb7655072816f049f3a4e5fe8239b1
SHA256

5a5e803cc629c215fe97cf4b0a7ef0155768d65fa65705d55848eea2ebce8d75
SHA512

9b75f4db4839105b7b654dcc1aafaa4d3966971306be739041e7d1a95106d31b6cd088d5c27be97a140e3b16458c75a0301fe5d345ee4b2e99ca3c5858e920a9
SSDEEP

6144:qchym+ed6FTyWbPxrA0X/EPiwy5dsKnpCE4vxgkfLaN+uQMin09:aRg2THbJEPGWKn/JGLuN7i09

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2032	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2780	srrrc.exe

Loads dropped DLL 3 IoCs

pid	Process
2032	cmd.exe
2032	cmd.exe
2780	srrrc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2484	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2700	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe
2780	srrrc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2032	2960	5a4d4fd803279e474d73c2d6d4fa6a10_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2032	2960	5a4d4fd803279e474d73c2d6d4fa6a10_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2032	2960	5a4d4fd803279e474d73c2d6d4fa6a10_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2032	2960	5a4d4fd803279e474d73c2d6d4fa6a10_JaffaCakes118.exe	30
PID 2032 wrote to memory of 2484	2032	cmd.exe	32
PID 2032 wrote to memory of 2484	2032	cmd.exe	32
PID 2032 wrote to memory of 2484	2032	cmd.exe	32
PID 2032 wrote to memory of 2484	2032	cmd.exe	32
PID 2032 wrote to memory of 2700	2032	cmd.exe	34
PID 2032 wrote to memory of 2700	2032	cmd.exe	34
PID 2032 wrote to memory of 2700	2032	cmd.exe	34
PID 2032 wrote to memory of 2700	2032	cmd.exe	34
PID 2032 wrote to memory of 2780	2032	cmd.exe	35
PID 2032 wrote to memory of 2780	2032	cmd.exe	35
PID 2032 wrote to memory of 2780	2032	cmd.exe	35
PID 2032 wrote to memory of 2780	2032	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\5a4d4fd803279e474d73c2d6d4fa6a10_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a4d4fd803279e474d73c2d6d4fa6a10_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2960 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5a4d4fd803279e474d73c2d6d4fa6a10_JaffaCakes118.exe" & start C:\Users\Admin\AppData\Local\srrrc.exe -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 2960
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:2700
- - C:\Users\Admin\AppData\Local\srrrc.exe
    C:\Users\Admin\AppData\Local\srrrc.exe -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\srrrc.exe

Filesize
328KB

MD5
5a4d4fd803279e474d73c2d6d4fa6a10

SHA1
73d97dca7edb7655072816f049f3a4e5fe8239b1

SHA256
5a5e803cc629c215fe97cf4b0a7ef0155768d65fa65705d55848eea2ebce8d75

SHA512
9b75f4db4839105b7b654dcc1aafaa4d3966971306be739041e7d1a95106d31b6cd088d5c27be97a140e3b16458c75a0301fe5d345ee4b2e99ca3c5858e920a9

Download Submit
memory/2780-14-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/2780-15-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/2780-22-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/2780-21-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/2780-10-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/2780-12-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/2780-20-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/2780-11-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/2780-16-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/2780-19-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/2780-17-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/2780-18-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/2960-1-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/2960-2-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download
memory/2960-0-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2960-5-0x0000000001000000-0x00000000010BB000-memory.dmp

Filesize
748KB

Download