f85fe38d224cfb6f1abaef3e04a6b8825751e37d78f9359d6b7781c8b9e252a7

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c5d860fa9be89c96ce4be138db19cf6_JaffaCakes118.exe
Size

1.5MB
MD5

5c5d860fa9be89c96ce4be138db19cf6
SHA1

4f2d159ebdc8f71d08018e35314f9caca86d9405
SHA256

f85fe38d224cfb6f1abaef3e04a6b8825751e37d78f9359d6b7781c8b9e252a7
SHA512

48daaa8030ad09bba36091093b6e4a340046980b65a2839b8e29afe4073ee8477cf6113d874fa52d83177e5a00298f5ee0a3c5712a3857ee30a57d9f6e916697
SSDEEP

24576:NBFhKw7QQOj0w+YajM1GJXyQyEJkGlOYufBwKW1CmFOzRODlCc1pBlPP69wr3YCc:VhL1Dw+G1GdZyEJ/lHu6K0JeRgl71rRg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2172	StpF834_TMP.EXE
2480	is-6Q1AO.tmp

Loads dropped DLL 7 IoCs

pid	Process
3032	5c5d860fa9be89c96ce4be138db19cf6_JaffaCakes118.exe
2172	StpF834_TMP.EXE
2172	StpF834_TMP.EXE
2172	StpF834_TMP.EXE
2172	StpF834_TMP.EXE
2480	is-6Q1AO.tmp
2480	is-6Q1AO.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2480	is-6Q1AO.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2172	3032	5c5d860fa9be89c96ce4be138db19cf6_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2172	3032	5c5d860fa9be89c96ce4be138db19cf6_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2172	3032	5c5d860fa9be89c96ce4be138db19cf6_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2172	3032	5c5d860fa9be89c96ce4be138db19cf6_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2172	3032	5c5d860fa9be89c96ce4be138db19cf6_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2172	3032	5c5d860fa9be89c96ce4be138db19cf6_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2172	3032	5c5d860fa9be89c96ce4be138db19cf6_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2480	2172	StpF834_TMP.EXE	31
PID 2172 wrote to memory of 2480	2172	StpF834_TMP.EXE	31
PID 2172 wrote to memory of 2480	2172	StpF834_TMP.EXE	31
PID 2172 wrote to memory of 2480	2172	StpF834_TMP.EXE	31
PID 2172 wrote to memory of 2480	2172	StpF834_TMP.EXE	31
PID 2172 wrote to memory of 2480	2172	StpF834_TMP.EXE	31
PID 2172 wrote to memory of 2480	2172	StpF834_TMP.EXE	31

C:\Users\Admin\AppData\Local\Temp\5c5d860fa9be89c96ce4be138db19cf6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c5d860fa9be89c96ce4be138db19cf6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\StpF834_TMP.EXE
  "C:\Users\Admin\AppData\Local\Temp\StpF834_TMP.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\is-ETU4A.tmp\is-6Q1AO.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-ETU4A.tmp\is-6Q1AO.tmp" /SL4 $30158 C:\Users\Admin\AppData\Local\Temp\StpF834_TMP.EXE 1239376 51200
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\StpF834_TMP.EXE

Filesize
1.4MB

MD5
ecc9e84ad49734bd2db26065487560b5

SHA1
83e9eb6d5854622a836f85fe716c252411f4d3e2

SHA256
12da845f30567366534abaa804fb88d1539351e08e45fad5712f24d2d134d60f

SHA512
48ae2ba91a25795942d80682472a911cfb8be1ad4e920b26bd587675f1c2767180b89e34757f85fcc23bdcd21c3417f433cf8efac6eb02a16ef1cfa7a516f0c5

Download Submit
\Users\Admin\AppData\Local\Temp\is-ETU4A.tmp\is-6Q1AO.tmp

Filesize
610KB

MD5
365e4b9988123eef3955a4fb28a9be93

SHA1
f2eacd886960eca81ba4c1e1e82f9e70711c296d

SHA256
cc85b7b90d427ca6f3b4c25593368bce1337eb475207aeed1ae2f9721b2370f9

SHA512
07f90c47216af13b0c059a08e226e3cf3de452f562fb40778195ce82344f6d2e17adc2a3456f618e508fcf1add5348685171ee7c0ec3fefdff327633e63b2991

Download Submit
\Users\Admin\AppData\Local\Temp\is-SCE7M.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2172-9-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2172-11-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2172-23-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2480-24-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download