22f599c4b0fb28992b6d99ec1134b10804dd4b0ddb734188ae3148f16667f2f5

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62d86d48c1e3e0e99de553e483a6e812_JaffaCakes118.exe
Size

44KB
MD5

62d86d48c1e3e0e99de553e483a6e812
SHA1

39e43ed662b0b37b1d5d48d2aec297972b760aa0
SHA256

22f599c4b0fb28992b6d99ec1134b10804dd4b0ddb734188ae3148f16667f2f5
SHA512

58e91815cc6eabf8996e5c97574be50c1e4161a8183b38188ace42a19e06a8149fabc4b7ce4ddff4c6aba99485c1710fc4759fab0f2c1f1961d66a3541ac90b2
SSDEEP

768:eo15svxVih9sKrLUhivCrHA9tGT8T0kdOGivJ1b:ejih9sK5qDZZ1b

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1844	send.exe

Loads dropped DLL 2 IoCs

pid	Process
1736	cmd.exe
1736	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2372	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
292	62d86d48c1e3e0e99de553e483a6e812_JaffaCakes118.exe
1844	send.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 292 wrote to memory of 1736	292	62d86d48c1e3e0e99de553e483a6e812_JaffaCakes118.exe	30
PID 292 wrote to memory of 1736	292	62d86d48c1e3e0e99de553e483a6e812_JaffaCakes118.exe	30
PID 292 wrote to memory of 1736	292	62d86d48c1e3e0e99de553e483a6e812_JaffaCakes118.exe	30
PID 292 wrote to memory of 1736	292	62d86d48c1e3e0e99de553e483a6e812_JaffaCakes118.exe	30
PID 1736 wrote to memory of 2372	1736	cmd.exe	32
PID 1736 wrote to memory of 2372	1736	cmd.exe	32
PID 1736 wrote to memory of 2372	1736	cmd.exe	32
PID 1736 wrote to memory of 2372	1736	cmd.exe	32
PID 1736 wrote to memory of 1844	1736	cmd.exe	33
PID 1736 wrote to memory of 1844	1736	cmd.exe	33
PID 1736 wrote to memory of 1844	1736	cmd.exe	33
PID 1736 wrote to memory of 1844	1736	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\62d86d48c1e3e0e99de553e483a6e812_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\62d86d48c1e3e0e99de553e483a6e812_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\File.bat" -s"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\PING.EXE
    ping ; 1.2; 0.3; 0.4 - n; 1 - w; 500
    3⤵
    - Runs ping.exe
    PID:2372
- - C:\Users\Admin\AppData\Local\Temp\send.exe
    send.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.bat

Filesize
53B

MD5
4da283a555618b010343dcea48bb4dbf

SHA1
3b29fac657c1c398d969d3304a11ac11675668dd

SHA256
ee78b2cab2d3cb104ec878df2669896effc888d01b6f66ce9e23d8d2cf8a6fbd

SHA512
6e2e3741bfca846c3e43f249076af5a3ca95f062ffff9e2f0a87632f96fcba65f9e1ab30ff33ac99394132d39283551c2bd919271f120a0771de0466ea1e3ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\send.exe

Filesize
44KB

MD5
62d86d48c1e3e0e99de553e483a6e812

SHA1
39e43ed662b0b37b1d5d48d2aec297972b760aa0

SHA256
22f599c4b0fb28992b6d99ec1134b10804dd4b0ddb734188ae3148f16667f2f5

SHA512
58e91815cc6eabf8996e5c97574be50c1e4161a8183b38188ace42a19e06a8149fabc4b7ce4ddff4c6aba99485c1710fc4759fab0f2c1f1961d66a3541ac90b2

Download Submit