61537ccb864a063de3ec48488d4296a52f2ecefa316e2cf409619b4735dd817f

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ea3a8657d0d5e5c28acbfe532f20327_JaffaCakes118.exe
Size

41KB
MD5

5ea3a8657d0d5e5c28acbfe532f20327
SHA1

bd124e9d8f2684c12805c6fd437373f0751c4b85
SHA256

61537ccb864a063de3ec48488d4296a52f2ecefa316e2cf409619b4735dd817f
SHA512

a052799287d9517243f295d740b9f338a780ff2f69c4bc6e92970f56badd9abc4a74c7ad1d376f3cd0718e7b4743d7fe43745d29c943dfef0e0eaf1d5f2e8597
SSDEEP

768:QGBar1ZIZYnfI9opm6AIHIjaI7g9mVmUnDoNE/W5dRV8:fW1ZIZqI9opm6AIHIjzmUUNzd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2224	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2572	sxhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1420	5ea3a8657d0d5e5c28acbfe532f20327_JaffaCakes118.exe
1420	5ea3a8657d0d5e5c28acbfe532f20327_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2572	1420	5ea3a8657d0d5e5c28acbfe532f20327_JaffaCakes118.exe	30
PID 1420 wrote to memory of 2572	1420	5ea3a8657d0d5e5c28acbfe532f20327_JaffaCakes118.exe	30
PID 1420 wrote to memory of 2572	1420	5ea3a8657d0d5e5c28acbfe532f20327_JaffaCakes118.exe	30
PID 1420 wrote to memory of 2572	1420	5ea3a8657d0d5e5c28acbfe532f20327_JaffaCakes118.exe	30
PID 1420 wrote to memory of 2224	1420	5ea3a8657d0d5e5c28acbfe532f20327_JaffaCakes118.exe	31
PID 1420 wrote to memory of 2224	1420	5ea3a8657d0d5e5c28acbfe532f20327_JaffaCakes118.exe	31
PID 1420 wrote to memory of 2224	1420	5ea3a8657d0d5e5c28acbfe532f20327_JaffaCakes118.exe	31
PID 1420 wrote to memory of 2224	1420	5ea3a8657d0d5e5c28acbfe532f20327_JaffaCakes118.exe	31
PID 2572 wrote to memory of 2620	2572	sxhost.exe	35
PID 2572 wrote to memory of 2620	2572	sxhost.exe	35
PID 2572 wrote to memory of 2620	2572	sxhost.exe	35
PID 2572 wrote to memory of 2620	2572	sxhost.exe	35

C:\Users\Admin\AppData\Local\Temp\5ea3a8657d0d5e5c28acbfe532f20327_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ea3a8657d0d5e5c28acbfe532f20327_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\sxhost.exe
  "C:\Users\Admin\sxhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del C:\Users\Admin\sxhost.exe >> NUL
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\5EA3A8~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\sxhost.exe

Filesize
41KB

MD5
5ea3a8657d0d5e5c28acbfe532f20327

SHA1
bd124e9d8f2684c12805c6fd437373f0751c4b85

SHA256
61537ccb864a063de3ec48488d4296a52f2ecefa316e2cf409619b4735dd817f

SHA512
a052799287d9517243f295d740b9f338a780ff2f69c4bc6e92970f56badd9abc4a74c7ad1d376f3cd0718e7b4743d7fe43745d29c943dfef0e0eaf1d5f2e8597

Download Submit
memory/1420-9-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2572-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download