Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2024, 13:50

General

  • Target

    965af3f1da7fd6a63e689ae342485a39_JaffaCakes118.exe

  • Size

    276KB

  • MD5

    965af3f1da7fd6a63e689ae342485a39

  • SHA1

    fc2966118e5fc1fdb173501ddbf057b365e1bf3a

  • SHA256

    aec67a93c33daebf8e03da1f6bf12780ac588c146feb206f7f6b0f226ff65623

  • SHA512

    7ddfd8365138733e23b8c39deb3c7c96f6291795872c6e4206241a8d90667080d6b40559db3716ce118dd3c0adf5d99f24a23975107850062fa0679d7b5cef94

  • SSDEEP

    3072:uKVMNfZoTD8/doTMjo17eiMDaFh043kLbHcsBTsuZfD:uKV+b/KTReiM+2bHzBwuZr

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\965af3f1da7fd6a63e689ae342485a39_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\965af3f1da7fd6a63e689ae342485a39_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\ypvjuva.bat
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Users\Admin\AppData\Local\Temp\timxpl.exe
        "C:\Users\Admin\AppData\Local\Temp\timxpl.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2476
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2332

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ieobgq.bat

          Filesize

          170B

          MD5

          f8a7abd373685c26b8a6df5fb1e73f82

          SHA1

          2bac531c53106e7701f57f98fd984699861f0a01

          SHA256

          de8ea1c280b285f3b79fcfac2eb6070bc2485b66ed13729efe569b1f53f590f4

          SHA512

          c03032d9b407b05db366899dae5e7409c06c550552051320979c41502874039fe093127e29a1f107e66948a85d7592f178e6132628222acb30fbd8208e031a9f

        • C:\Users\Admin\AppData\Local\Temp\timxpl.exe

          Filesize

          176KB

          MD5

          3ff1b47f2c207004dd3c855265f4a29e

          SHA1

          2ba1d4e0b796bbf7912eae6188c7d4296185efba

          SHA256

          cd44038b2fe36d0bedd2d5c32bd375a7f575d22ba99d40993247eb5f4a020e70

          SHA512

          307dc6c7116b0b6cd1e85a63e94b0f71038647adda74f5d09a204efc7451ecc222347bf8bf3cc1b32d4243ad99d7d961c8f22e4ddf8105c1e3920da8a3fc7bb1

        • C:\Users\Admin\AppData\Local\Temp\ypvjuva.bat

          Filesize

          124B

          MD5

          9503516a068ef18b8fca53873a113006

          SHA1

          a002d0c3bb85768f7c980a8332f44105a56a03b0

          SHA256

          26bebe3692771e5fb48b1497978273800f798ef7bf7b3d9bf2edf11117bbf7a0

          SHA512

          b943124fa5facc431c07daf37aa06193e2ed1817c75d3b4e5ab8ea915c2aadf88838083f8de9c5b86bc51737aa8d96481ebe9098db386a3428bf3f5e598f5af5