d8b86ce725aa3e531bd473df819314ed0a369a28a9285ad2a290fba848252b0c

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

664e525e4cae54b6ef018da03d5e83c7_JaffaCakes118.exe
Size

136KB
MD5

664e525e4cae54b6ef018da03d5e83c7
SHA1

111dea87ddef433dd98a0f03934877037cc26023
SHA256

d8b86ce725aa3e531bd473df819314ed0a369a28a9285ad2a290fba848252b0c
SHA512

5caa65d86b588dcd065921727da23dca452e1376d0a5adde63232609ae3a2ec07612c71f3dad7fb76e58a48c965209f2b43ed2dc76badbc7b068eaf9ee26ae69
SSDEEP

3072:kYAuzenWaIHrc67SeUYJQhdoNQl/kx4xbYI:kYAfnWaILLGYw7l/kq

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2752	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2516	1724	664e525e4cae54b6ef018da03d5e83c7_JaffaCakes118.exe	30
PID 1724 wrote to memory of 2516	1724	664e525e4cae54b6ef018da03d5e83c7_JaffaCakes118.exe	30
PID 1724 wrote to memory of 2516	1724	664e525e4cae54b6ef018da03d5e83c7_JaffaCakes118.exe	30
PID 1724 wrote to memory of 2516	1724	664e525e4cae54b6ef018da03d5e83c7_JaffaCakes118.exe	30
PID 1724 wrote to memory of 2752	1724	664e525e4cae54b6ef018da03d5e83c7_JaffaCakes118.exe	31
PID 1724 wrote to memory of 2752	1724	664e525e4cae54b6ef018da03d5e83c7_JaffaCakes118.exe	31
PID 1724 wrote to memory of 2752	1724	664e525e4cae54b6ef018da03d5e83c7_JaffaCakes118.exe	31
PID 1724 wrote to memory of 2752	1724	664e525e4cae54b6ef018da03d5e83c7_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\664e525e4cae54b6ef018da03d5e83c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\664e525e4cae54b6ef018da03d5e83c7_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EE7ECC8CB788CD72.vbs"
  2⤵
  PID:2516
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\WinCC5A085B\99BC9BAE95B8.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CC8CB788CD72.ini

Filesize
35B

MD5
363551ca39847c0c0dd20ad3186b7d64

SHA1
1524b035b033c4ad08b676d2742c562e6202ab3d

SHA256
6798911e35678b43798fcd2f4154f3dee3d992d896bf3351cdffe181b348f2b2

SHA512
9772060e3e1c96c251a653f9f00e5b14214fcab53387038f157f0a363116e8503fa65031430c8ed1f102a64a5cdf40efb136cdcb1162c0289942dd7cd7d18efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\EE7ECC8CB788CD72.vbs

Filesize
846B

MD5
6fdf031a179ef0c6772eefbda99ff689

SHA1
aef5f443b38f853ed258ada4e15ed0240922a834

SHA256
3f539711bcce9b2d72a77978b9fba80facda51e2bea559066420cb520a578c4d

SHA512
e4d620102e2356049773e189cca576358a07f2596a356bd13b7d9494398955c51e45f622f2fb2598b804de4bc18a53aa71fdeba1460a6ab3284ba20de4a17346

Download Submit
C:\Users\Admin\AppData\Local\WinCC5A085B\99BC9BAE95B8.vbs

Filesize
847B

MD5
2c632fde4f4a84dd0f17b8a40a2f895c

SHA1
2bacb5a5d92bbdfd59612780ad8e764c8735d9a5

SHA256
95cbb528de360846682a2d78e9d60066d4f4d91a87d9018efc5173c7a467efb6

SHA512
2bf6f3e75a1b07691c4ef3320bf16bcdc3e27236807ea6771367566a6019b4c5dd97d909d1a70f85140e6750228b1401fcd58186ad3a9b8cdc149b0fcf35045e

Download Submit
memory/1724-12-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download