bbbe8222197b8b0d145cb9f4083a4c97befc28a0c2ec33e6c34bbe5bfa557fe4

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
Size

5.4MB
MD5

63428f59e2a6751f317b9b47ab562048
SHA1

2be7ec4d73f12eec242f30eb61a3e3838c577130
SHA256

bbbe8222197b8b0d145cb9f4083a4c97befc28a0c2ec33e6c34bbe5bfa557fe4
SHA512

4b521d972694e7d597bba0308f869017ae810be8456d6f511f3f27a43a5409ae33155e1e8c30aec78a04d69f4b4074b1e4244565fa9918c4ba30f0f1c31f0c2f
SSDEEP

98304:qxmIY25JAmfnpZCMCxUd0nPrXpHzgyf5rpPniqY2DHDoLcKMmXec//////p:VIYsJAKZBoHxBiT2DHDoI9mXn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2796	agogodvd2blackberry.exe
2592	is-JBICM.tmp
2604	crverify.exe

Loads dropped DLL 51 IoCs

pid	Process
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2796	agogodvd2blackberry.exe
2796	agogodvd2blackberry.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2796	agogodvd2blackberry.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2592	is-JBICM.tmp
2592	is-JBICM.tmp
2592	is-JBICM.tmp
2592	is-JBICM.tmp
2604	crverify.exe
2604	crverify.exe
2604	crverify.exe
2592	is-JBICM.tmp
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2604	crverify.exe
2604	crverify.exe
2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2592	is-JBICM.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2604	crverify.exe
2604	crverify.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2796	2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2796	2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2796	2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2796	2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2796	2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2796	2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2796	2692	63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe	31
PID 2796 wrote to memory of 2592	2796	agogodvd2blackberry.exe	32
PID 2796 wrote to memory of 2592	2796	agogodvd2blackberry.exe	32
PID 2796 wrote to memory of 2592	2796	agogodvd2blackberry.exe	32
PID 2796 wrote to memory of 2592	2796	agogodvd2blackberry.exe	32
PID 2796 wrote to memory of 2592	2796	agogodvd2blackberry.exe	32
PID 2796 wrote to memory of 2592	2796	agogodvd2blackberry.exe	32
PID 2796 wrote to memory of 2592	2796	agogodvd2blackberry.exe	32
PID 2592 wrote to memory of 2604	2592	is-JBICM.tmp	33
PID 2592 wrote to memory of 2604	2592	is-JBICM.tmp	33
PID 2592 wrote to memory of 2604	2592	is-JBICM.tmp	33
PID 2592 wrote to memory of 2604	2592	is-JBICM.tmp	33
PID 2592 wrote to memory of 2604	2592	is-JBICM.tmp	33
PID 2592 wrote to memory of 2604	2592	is-JBICM.tmp	33
PID 2592 wrote to memory of 2604	2592	is-JBICM.tmp	33

C:\Users\Admin\AppData\Local\Temp\63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63428f59e2a6751f317b9b47ab562048_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\agogodvd2blackberry.exe
  C:\Users\Admin\AppData\Local\Temp\agogodvd2blackberry.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\is-Q0KSQ.tmp\is-JBICM.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-Q0KSQ.tmp\is-JBICM.tmp" /SL4 $4014E "C:\Users\Admin\AppData\Local\Temp\agogodvd2blackberry.exe" 5198450 65536
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\is-EBDQ0.tmp\crverify.exe
      "C:\Users\Admin\AppData\Local\Temp\is-EBDQ0.tmp\crverify.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nseE86D.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
\Users\Admin\AppData\Local\Temp\CSMEDA9.tmp

Filesize
156KB

MD5
c30ad91fe7b1e7acaf391f4a66af6f06

SHA1
693467a271674cc45ea11bc805f66401fd04959a

SHA256
f0341a98b30386571ca83b24dac64534619727e13271a50a3d23f5287a3a3dcb

SHA512
f1ee9a93748b8dead511e6490b3752429fa8fb78987cd273b51379a5f021b0c917b514c4f8c0da6543efbf8637736043fb8d4e05fc3727165183ab6cec790e44

Download Submit
\Users\Admin\AppData\Local\Temp\agogodvd2blackberry.exe

Filesize
5.3MB

MD5
cf4326ef8d06a4603f7f8d9bd931c29a

SHA1
e6aea6adaf07db241040318b6a79d52d41ba98a7

SHA256
eb24226595ae46a1b2811f8aba56c03a2271bc9be782ed7d52076df970922b9a

SHA512
290d73e5d9781d44c179d12dd79dc16c2eb60daed57d9caea716d2244accff2c0cb257cde08071d654f9cef8c21dc0c0f36f463ee9bfdc83a3d2fb1df4cae40c

Download Submit
\Users\Admin\AppData\Local\Temp\is-EBDQ0.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-EBDQ0.tmp\crverify.exe

Filesize
240KB

MD5
b42a69da9a633d4625c8d8edf3519acf

SHA1
55dfe024a3a2bd173eff363161ed641551c0b911

SHA256
4a1748e4a21f361b6e8b9f6eca004b80e67b4c3f5c91e9459281714eec543a7b

SHA512
5411ff03c0682d2d4e43f57d0106f010a147b4ed16bdff56b46e6853430a3a3811bd90acca9c24fcb98b4fe6c8aad2845d31b5753d19e8423acfe324e38c8413

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q0KSQ.tmp\is-JBICM.tmp

Filesize
668KB

MD5
9920812796e6f8edf43e0aa79473bc86

SHA1
90d345a34ba5a7b582f1c9e6e23f7693fc7adcee

SHA256
66cf626ed02d471934f2a764a0882965689239ea3760294366966193f110398d

SHA512
ca73cbf8b0ae1ab6613335159e5bc82af680cdadfb3ae1f36376f720c23d2b8af774173419b33b0489fddd01a0629cad1df3784a24ce86483fe177c581fab052

Download Submit
\Users\Admin\AppData\Local\Temp\nseE86D.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
memory/2592-175-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2692-156-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/2796-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2796-27-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2796-174-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download