8de9e65fdfb4e4843a7e19968b6cb13fa052633debdef9d69d93fc66b846823f

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
Size

5KB
MD5

71bf4a5e09071220aa0903267babd1e7
SHA1

baa7ab8fc2aef89ec7c7de80eafe3dce2d620995
SHA256

8de9e65fdfb4e4843a7e19968b6cb13fa052633debdef9d69d93fc66b846823f
SHA512

ec0083bdda165ed96e8bc9a77d76dba9a5ca98bee4ead1222b82c0e1be230923646748cac83ad3546248584ec7c58c9c813e40369071aa940606ac8d822b0ce1
SSDEEP

96:nPZuU0Hx1KdhoZEmsXwxVtBG9vLLfRsOC:nwKdwsXcV6VLznC

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\X:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\E:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\K:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\O:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\V:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\W:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\U:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\H:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\J:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\L:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\N:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\Q:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\R:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\S:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\Y:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\Z:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\G:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\I:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\M:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened (read-only)	\??\P:	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 46 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\Q:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\Y:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	F:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\H:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\K:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\O:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\P:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\S:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\V:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\Z:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	C:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\E:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\G:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\L:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\N:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\N:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\R:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\U:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	F:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\G:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\I:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\M:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\M:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\Z:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\I:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\L:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\Q:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\R:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\W:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\U:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\V:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	C:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\H:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\J:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\S:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\T:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\J:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\P:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\W:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\X:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\Y:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\E:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File created	\??\K:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\O:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\T:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
File opened for modification	\??\X:\autorun.inf	71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\71bf4a5e09071220aa0903267babd1e7_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops autorun.inf file
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\autorun.inf

Filesize
93B

MD5
4f867d9f7e589545cb4ccc130a8dd1d0

SHA1
4e18acd12b87ae085514d4cced6b1b883e2c6ad2

SHA256
bc2215e2764346a1f609bbc0f6be476b0048d921bf4ca1a37a1d46552f2d152d

SHA512
3bf2b4c9f998e8e303e07495a1635cebe2d27eb13484dcf6b28e273458c33003e5d9a6ce77021b5fbbfac4bc45f450afda321dfd79bf01d0a211233a3a3f98c2

Download Submit
memory/2540-24-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2540-43-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2540-62-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2540-87-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2540-106-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2540-125-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2540-150-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2540-169-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2540-188-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2540-207-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2540-232-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2540-251-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2540-270-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2540-291-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads