f3442220948be10ac6b5a0fc6b7d54e12ea5d93ed6ef8963ae927d9359df60d3

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

672743cfe4e8b7ab9d0d79e32165ff70_JaffaCakes118.exe
Size

167KB
MD5

672743cfe4e8b7ab9d0d79e32165ff70
SHA1

783ec1a765c0d0e73fb0a382d57285bf1a7f9ce2
SHA256

f3442220948be10ac6b5a0fc6b7d54e12ea5d93ed6ef8963ae927d9359df60d3
SHA512

3af74958bc765a8bfa93437168df21ba44d8ac8a1b006ec15084dfe672f9dd57555f552446f729aa593b42f1bd987f700ac4e2c9418a59d1f24669b46ea55059
SSDEEP

3072:tVX+U5ON1N662FEsc9xLFepY5/zuiGpDXozm9x7Zy4yb4+Hosfbn:Y6/cvLEq5LuVpDlz7wzo4j

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2192	msn.exe
848	msn.exe

Loads dropped DLL 3 IoCs

pid	Process
2552	672743cfe4e8b7ab9d0d79e32165ff70_JaffaCakes118.exe
2552	672743cfe4e8b7ab9d0d79e32165ff70_JaffaCakes118.exe
2192	msn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 848	2192	msn.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
848	msn.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2192	2552	672743cfe4e8b7ab9d0d79e32165ff70_JaffaCakes118.exe	29
PID 2552 wrote to memory of 2192	2552	672743cfe4e8b7ab9d0d79e32165ff70_JaffaCakes118.exe	29
PID 2552 wrote to memory of 2192	2552	672743cfe4e8b7ab9d0d79e32165ff70_JaffaCakes118.exe	29
PID 2552 wrote to memory of 2192	2552	672743cfe4e8b7ab9d0d79e32165ff70_JaffaCakes118.exe	29
PID 2192 wrote to memory of 848	2192	msn.exe	30
PID 2192 wrote to memory of 848	2192	msn.exe	30
PID 2192 wrote to memory of 848	2192	msn.exe	30
PID 2192 wrote to memory of 848	2192	msn.exe	30
PID 2192 wrote to memory of 848	2192	msn.exe	30
PID 2192 wrote to memory of 848	2192	msn.exe	30
PID 2192 wrote to memory of 848	2192	msn.exe	30

C:\Users\Admin\AppData\Local\Temp\672743cfe4e8b7ab9d0d79e32165ff70_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\672743cfe4e8b7ab9d0d79e32165ff70_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\msn.exe
  "C:\Users\Admin\AppData\Local\Temp\msn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Users\Admin\AppData\Local\Temp\msn.exe
    "C:\Users\Admin\AppData\Local\Temp\msn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of UnmapMainImage
    PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\msn.exe

Filesize
147KB

MD5
c02bdd7f5ddeeb62f1d63d90c0000134

SHA1
a46ac18bb69f7a6b864653a1f28ac4c3b6c0603c

SHA256
afac3fdc2f4ddb65a65b8fdf1b90c76ee5b482a0d854a38b87e9a29e89757dc6

SHA512
01841365baa1a171d5f577a0463f001f71a5a999ecd5f984bb6fa6a1016fccbac9e404d2ea93249f80a38cf074155a9850c99edd3a647b4dfefa221c0fa7cdcd

Download Submit
memory/848-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/848-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/848-13-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/848-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2192-18-0x0000000000010000-0x000000000002E000-memory.dmp

Filesize
120KB

Download