203c04461f229a0f0acf628c644a588b462d7de683f0086154ebd57b6b0e5b49

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe
Size

593KB
MD5

6282fe5a6419462915a66eb2999dfd2a
SHA1

077c0ccb181bb1f767dc3960aa571016e25dfa75
SHA256

203c04461f229a0f0acf628c644a588b462d7de683f0086154ebd57b6b0e5b49
SHA512

03ec34262d5060e48cb627b586a047f463b54cad74a80a64bca58ee2a91729f2bf4e62a4dba6964a52b76352d4482992ea3163b05e56f62508c4a7c59ec7de3b
SSDEEP

12288:GpyuQvBorRimccTxKosx4UwuNjdRLB+9lf76GGsV3ReLiKzgqR:GpyubrRimjsxouBzLAPfZn3g2KzgqR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2804	1867.exe
2712	WinXPs.com

Loads dropped DLL 2 IoCs

pid	Process
2472	6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe
2472	6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\1867.exe	6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2712 set thread context of 2760	2712	WinXPs.com	32

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\WinXPs.com	1867.exe
File opened for modification	C:\Windows\WinXPs.com	1867.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	1867.exe
Token: SeDebugPrivilege	2712	WinXPs.com

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2804	2472	6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe	30
PID 2472 wrote to memory of 2804	2472	6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe	30
PID 2472 wrote to memory of 2804	2472	6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe	30
PID 2472 wrote to memory of 2804	2472	6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2760	2712	WinXPs.com	32
PID 2712 wrote to memory of 2760	2712	WinXPs.com	32
PID 2712 wrote to memory of 2760	2712	WinXPs.com	32
PID 2712 wrote to memory of 2760	2712	WinXPs.com	32
PID 2712 wrote to memory of 2760	2712	WinXPs.com	32
PID 2712 wrote to memory of 2760	2712	WinXPs.com	32

C:\Users\Admin\AppData\Local\Temp\6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6282fe5a6419462915a66eb2999dfd2a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\1867.exe
  "C:\Windows\System32\1867.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2804

C:\Windows\WinXPs.com
C:\Windows\WinXPs.com
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\WINDOWS\SysWOW64\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  2⤵
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\1867.exe

Filesize
297KB

MD5
5f508dea688139638c9a73dd03b580eb

SHA1
7a16b6dbb81af07378cd568ace3af897b397410a

SHA256
ddd9676f893da8eb1c0570c094e94bc3cad4e35e9c519cc3a95c46811c7bb703

SHA512
da517ca4fbce3d655ebdad8fc7f4cc54100d58e5cb4efefd91647734c2af719a83326c7794c6cf3d177f92406c6c3a46d58151fdc14637126bb7698c7b3e96d9

Download Submit
memory/2472-8-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2472-9-0x0000000002A30000-0x0000000002B36000-memory.dmp

Filesize
1.0MB

Download
memory/2712-20-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2712-26-0x0000000000400000-0x0000000000505E07-memory.dmp

Filesize
1.0MB

Download
memory/2760-25-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2760-23-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2760-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-11-0x0000000000400000-0x0000000000505E07-memory.dmp

Filesize
1.0MB

Download
memory/2804-12-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2804-16-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2804-19-0x0000000000400000-0x0000000000505E07-memory.dmp

Filesize
1.0MB

Download