ac4a3e618c040ac02d28fdef462bc0d1fcf78467f622ca6fb7c49f23a5124733

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6228000c2488d7dd89970ecd6d0b9ff8_JaffaCakes118.exe
Size

209KB
MD5

6228000c2488d7dd89970ecd6d0b9ff8
SHA1

4b027947798ae6a5cc4b777cf3917c1ba0a3c330
SHA256

ac4a3e618c040ac02d28fdef462bc0d1fcf78467f622ca6fb7c49f23a5124733
SHA512

bb057f0598db346fa86d55cdcae6b64320c4dd286f54de6d6566198b7a89b74b236ef93deb2af749538a14fd94fe9856e94be7ac850515800fcebe6a5fdd57f3
SSDEEP

1536:kwQBHvoYUWjzlZLXf4QJpUT0mSBAgapetc8o/Kdgo5QGuG3g7/:kBlvaWjzrLXQQJKgmSBAVpet2Ago5lu

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2124	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2116	6228000c2488d7dd89970ecd6d0b9ff8_JaffaCakes118.exe
2116	6228000c2488d7dd89970ecd6d0b9ff8_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\7df4d4c\jusched.exe	6228000c2488d7dd89970ecd6d0b9ff8_JaffaCakes118.exe
File created	C:\Program Files (x86)\7df4d4c\7df4d4c	6228000c2488d7dd89970ecd6d0b9ff8_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	6228000c2488d7dd89970ecd6d0b9ff8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2124	2116	6228000c2488d7dd89970ecd6d0b9ff8_JaffaCakes118.exe	31
PID 2116 wrote to memory of 2124	2116	6228000c2488d7dd89970ecd6d0b9ff8_JaffaCakes118.exe	31
PID 2116 wrote to memory of 2124	2116	6228000c2488d7dd89970ecd6d0b9ff8_JaffaCakes118.exe	31
PID 2116 wrote to memory of 2124	2116	6228000c2488d7dd89970ecd6d0b9ff8_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\6228000c2488d7dd89970ecd6d0b9ff8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6228000c2488d7dd89970ecd6d0b9ff8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Program Files (x86)\7df4d4c\jusched.exe
  "C:\Program Files (x86)\7df4d4c\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\7df4d4c\7df4d4c

Filesize
17B

MD5
2130fee70fc3f7c10d5279f96f98ad1e

SHA1
4307cef89171fa230048ea22546802198d888780

SHA256
3506e286f6223ccaf1665d4e457b712abeb527266ff28327ce60e37b9fbeb404

SHA512
67fa1bb31028ff3ba125f184207499b9205f58c9eef2ac948f5824475515c396b3d5f93e207cb96deffe1aedb286b1f935cc689c5d84449e51c517da1cffe2e5

Download Submit
\Program Files (x86)\7df4d4c\jusched.exe

Filesize
209KB

MD5
9e745ae7607d66043992c0912daaebdf

SHA1
6a7c4befd05144e762a268fc64ecd520b011646c

SHA256
7d71154e974e99a4300f7399abe7e4dfdb69ab476ee5e9f5f09eaf03053217b6

SHA512
ebec5bb47c7bc0c7c54593c09d1c0175ad7f438d2de8e49a3fc67e6ee69fd6bfb8f93ed0708ea8ae899925d7f22da6c8883456084356f6ca18657221ef272aab

Download Submit