545973de41aaeec424949975a6477ec58259be8c5d4b41ab57a9f5184cd367db

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c48416137b42e268fa414ca3e5223f0_JaffaCakes118.exe
Size

4.2MB
MD5

5c48416137b42e268fa414ca3e5223f0
SHA1

b4479ec4a7c02bff1f9f1431edb38cebc1ac1092
SHA256

545973de41aaeec424949975a6477ec58259be8c5d4b41ab57a9f5184cd367db
SHA512

c17b53a35d6f802ae5044b966567177dd8c9dde9b3e64656b90280071cc06228f75fd77e96caad023049070a07948e9983664b2113ae3a8c84bcdb8069e34f6d
SSDEEP

98304:1eMwdPjC59yJ7dECQ4J1rRf9n96EXKoIrDuL1H8d:rmPjSUf9n97XKCa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2264	7za.exe
848	Setup.exe

Loads dropped DLL 3 IoCs

pid	Process
2500	cmd.exe
2500	cmd.exe
2500	cmd.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0005000000019504-36.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
848	Setup.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2728	2808	5c48416137b42e268fa414ca3e5223f0_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2728	2808	5c48416137b42e268fa414ca3e5223f0_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2728	2808	5c48416137b42e268fa414ca3e5223f0_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2728	2808	5c48416137b42e268fa414ca3e5223f0_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2728	2808	5c48416137b42e268fa414ca3e5223f0_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2728	2808	5c48416137b42e268fa414ca3e5223f0_JaffaCakes118.exe	30
PID 2808 wrote to memory of 2728	2808	5c48416137b42e268fa414ca3e5223f0_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2500	2728	WScript.exe	31
PID 2728 wrote to memory of 2500	2728	WScript.exe	31
PID 2728 wrote to memory of 2500	2728	WScript.exe	31
PID 2728 wrote to memory of 2500	2728	WScript.exe	31
PID 2728 wrote to memory of 2500	2728	WScript.exe	31
PID 2728 wrote to memory of 2500	2728	WScript.exe	31
PID 2728 wrote to memory of 2500	2728	WScript.exe	31
PID 2500 wrote to memory of 2264	2500	cmd.exe	33
PID 2500 wrote to memory of 2264	2500	cmd.exe	33
PID 2500 wrote to memory of 2264	2500	cmd.exe	33
PID 2500 wrote to memory of 2264	2500	cmd.exe	33
PID 2500 wrote to memory of 2264	2500	cmd.exe	33
PID 2500 wrote to memory of 2264	2500	cmd.exe	33
PID 2500 wrote to memory of 2264	2500	cmd.exe	33
PID 2500 wrote to memory of 848	2500	cmd.exe	34
PID 2500 wrote to memory of 848	2500	cmd.exe	34
PID 2500 wrote to memory of 848	2500	cmd.exe	34
PID 2500 wrote to memory of 848	2500	cmd.exe	34
PID 2500 wrote to memory of 848	2500	cmd.exe	34
PID 2500 wrote to memory of 848	2500	cmd.exe	34
PID 2500 wrote to memory of 848	2500	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\5c48416137b42e268fa414ca3e5223f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c48416137b42e268fa414ca3e5223f0_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Extract.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\7za.exe
      .\7za.exe e .\WebPlayerTV.7z -pjesuisadmin -y
      4⤵
      Executes dropped EXE
      PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
      .\Setup.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BAB.jpg

Filesize
37KB

MD5
61992d5995f0020c48f1cf541e044024

SHA1
c4d7069d450b774807735b804edcf76317b6f2b4

SHA256
bb7e2d019add8bebe2cafd5fee397c438a05d3296fe505755a59599c15bbf92d

SHA512
0dafb6b1fd289fb7d5ca954ceeb1c1794cb43f331114e3be8f8ad795c33a003c1962fe254f299e33ecc08e590acec332034881ab8d975f921dc00c76fcd6e728

Download Submit
C:\Users\Admin\AppData\Local\Temp\BANDEAU.jpg

Filesize
21KB

MD5
523c100a6fec6eb73c10a705ba1a232c

SHA1
c6d6246e3a419033e405f057f38dcfec57eae628

SHA256
73347a81d34cee029012392a51fdc62e3dd53eb1a1d0f42b62d0f5080058cd68

SHA512
c4c7b0ea9aeff0dab543bda19862a078abce61fcaa1cf3a6c815dd52af34f31cdfc5042525ef02a908a9ebdb7c734c04a068c9593eaabdcee34d9aef38a2ece9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extract.bat

Filesize
87B

MD5
9495ff73014b8a17bd4798911ad097fa

SHA1
71b6db4d7e576cf8b1cbf93079397bc0c1ce46b2

SHA256
0a59275adf474e7164e14a7e622ecb93f3a1477958e6e1e0de6d7ae2c6913a33

SHA512
55062bb9381ac302367aeb43492613762434da730663891f577e050fcbc0993eaf19e96154adf4d669cb9587d8eef2a7ec96cb02b366db5d5c58b1eefe64ecd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lanceur.vbs

Filesize
115B

MD5
67eb1322395d41dddc9045b4eef2309d

SHA1
b85b2332b9fd4ac03aec49a9291e90e8b96547a5

SHA256
56ddc657309aeab74ca42cf466deac992da8a0054830340ba839ffdf1d242be4

SHA512
de37b1358f639f6647e6ae99b6719a0ddf5e9b8f9e8ea33b6284ecac3d33650e9257a63697dcd5d79ee5ed2790ece0b3aca3332719f678ca89f3d4562b00603d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOFT.jpg

Filesize
74KB

MD5
a4d795c34867efbba61d84a09156d772

SHA1
672c675792527a3876fa18b1971630965d1a90b6

SHA256
1011c278c03a696d8ca3e7e3e039a6b184b740a57585f4af5bf62ff8d428701a

SHA512
9fa8cbeed832d3ba238e5247a1704cb586b275ac5f4e3dd97115c04a34709b59cbc5611e74558cd9467d12b332c831fbf88fb71bccf0786de5fc35204bd7abd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebPlayerTV.7z

Filesize
3.8MB

MD5
ffb52edc44a84c9efa827f047acb0254

SHA1
59e5648b24a64649d9b6c78f73e0ab7ce37d162c

SHA256
4dfb07b98493aee46a2078d8514ef77551a663df47dd00f6d9169a0355816dbe

SHA512
3f0079504666eef4bb04ce28649929b8a1af894537b80ba6936b1785d3cc9ee5fd1fc9886d44689715926cb2ab057b355f003148ec228749f8b4b3b0c6e39026

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
356B

MD5
88120f8c8f57321a91fa1c00b898cba2

SHA1
073af01c61707c810b0336f2d9f37dec3cc175ef

SHA256
6b20e9a25af4c092558f463786f630e27638f1cd44791f6b886c797548ad9adc

SHA512
d5b7955cf9c4b3c1ee0588b7c0453466c0e0b48d4793685ab8e7af3a290b7e66e66f285a3c46ef3762b2a0fa1745abb5f5cdff0895dc47cb2b072e1590dae5a4

Download Submit
\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
754KB

MD5
a9590ed40a7f7430e9502f98ebc86239

SHA1
45b2942570896d664f1b530d9713c1c667dd95af

SHA256
dd025f6e55464a1f9bfbc28994c406c8b7948624ac4fed52edf62f0a857c45e3

SHA512
d031e1516b8f5467d11cb6ff7cc1ee3301c3476aa8e5b957ba553c65457a49f5fd67e87fe2af10b5c83b03e9f40bfdb143a24da2d78419df24cc8973ab447c5e

Download Submit