Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 09:35

General

  • Target

    c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe

  • Size

    967KB

  • MD5

    c07392e48322e4efde24d759d27262f5

  • SHA1

    b1c17d7a9ee01164f79aefbab2d9d792648136b1

  • SHA256

    517dc10df7fda0b7334a76c8e34d638562f32f724e45f8f8e91f7729c6c41f2a

  • SHA512

    9ae4e28ea9554801dbfb3ecc15e54c77bf085bc266338993939dcff797702747ab6b7c3a035bdcd145209d2cbf190f513ea07f175160c2d7127e9ddd9d306e16

  • SSDEEP

    24576:5tXCT35bEN60Yc/rMegvH6RK1aeGokgwH8:5KBtV6MjvH6RIrDC8

Score
4/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nstE82F.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/c07392e48322e4efde24d759d27262f5_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nstE82F.tmp/fallbackfiles/'
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\789.bat" "C:\Users\Admin\AppData\Local\Temp\BA0A7D4BE58E4A75874495FE746463EC\""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 1 -w 1000
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\789.bat

    Filesize

    214B

    MD5

    739fcc7ba42b209fe44bea47e7a8c48f

    SHA1

    bc7a448a7c018133edcf012bc94301623eb42c5b

    SHA256

    69017cdbbe68396f45e41d211b22d800cc1afc0eadbd3440873038585020315c

    SHA512

    2b2b130798b0f4e534626b9fb5deaa10bb1930e6700ac0ba7cf151c1bf3239039a7032ea67ceed86a4a4dbe981064c42a8e0f88fe8361e27002dd8ceb0ea767a

  • C:\Users\Admin\AppData\Local\Temp\BA0A7D4BE58E4A75874495FE746463EC\BA0A7D4BE58E4A75874495FE746463EC_LogFile.txt

    Filesize

    5KB

    MD5

    c63d7b1e0809942e9ddcd4fa117a6dc1

    SHA1

    031c37fe44803015210b3437a4a88e15eba1a009

    SHA256

    2942e34dfe53a45c358a0a2c793bab1446ee9997f638c70b67b78f671847c396

    SHA512

    2922532c93adf94959e886234f535434700f42ad5bd8857337b07886915c17e24aa5e9f2fb77f2562ff44c38b9c475d0b32816a8655163f5f2c8eba90b7b72ad

  • C:\Users\Admin\AppData\Local\Temp\BA0A7D4BE58E4A75874495FE746463EC\BA0A7D4BE58E4A75874495FE746463EC_LogFile.txt

    Filesize

    9KB

    MD5

    2afa019ce5d278359bb1e6219932c2c3

    SHA1

    eef70003ddfce7fbf488d5ffa214bbb2c8584a7e

    SHA256

    3e6de7606e8b581b5672d3ff70594950aa76c4fe87d953093c9f4c806918d6f8

    SHA512

    89647f17b9341e3a43239f5f28d9382e1f00534e709854c3b9fb0c04f3e160c2fce49b34ec58aa9d0e262baae99c1669d61da61e53d044bf58010d5743a17165

  • C:\Users\Admin\AppData\Local\Temp\BA0A7D4BE58E4A75874495FE746463EC\BA0A7D~1.TXT

    Filesize

    124KB

    MD5

    ebd9b0557293057bc6a1cd80ca1bcbf0

    SHA1

    113cbf031f612faaa4096dbba46f4d2af959d73c

    SHA256

    5df1a0cd7ff8b44f33ca817422bd85d17000c33d4eb972fe05502160dac4f5d0

    SHA512

    a51acff2c1003f6f64ca612c8ad340a9c827a752a3bf256c014fc4d1e74a11838ee9749e12dff3d2e9188e1b99531ead24d7f93d98ed571f8064b0fbe594609c

  • C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118_icon.ico

    Filesize

    11KB

    MD5

    592abe695d3fb84c8a7589b0d2553a97

    SHA1

    d70d6de6fa25ca1924bd02b84075ee94f3870133

    SHA256

    ed59d25e5daf4e4c89c09a4c829ac4d12f1b0e258d167760a07bce6266cebda0

    SHA512

    a8c09f8f35790a0bcf4b69ffa7f26eb60b8e14394ecef6a63c1776e538eb749251545dda48f6a7243c91d9779d24b4d774b39dbd966d32e5fa39071fff9a0978

  • C:\Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118_splash.png

    Filesize

    136KB

    MD5

    0a8589de904eec91522c276d896216c4

    SHA1

    58ba5e9158c3afa3c3112fe1e24567996794c07e

    SHA256

    496d42e72d7c57969f584849a8f7366783afd39862f7f71b59d78b723225cd55

    SHA512

    bea912ebc889e6444532beacbe562038b78c918dff9bfa16d7d9a15e25f52ce90e93a6736636926ef7d45e65eb8f73da92149e3188cf5a4b78a8d248b3b0d9fd

  • \Users\Admin\AppData\Local\Temp\nstE82F.tmp\internalc07392e48322e4efde24d759d27262f5_JaffaCakes118.exe

    Filesize

    1.8MB

    MD5

    77bfacca17ee1d89833b57f3a746d9a0

    SHA1

    aa9490c913489c5eafd02f67f875efcb56d23036

    SHA256

    38571b0965110d07c6fbf4813ab628d4017cf52c681c457fb3f184b644fb0b52

    SHA512

    21ecc2fce94a58cd39127964730b01722b9dafa20d3af65b023fe83188c08211ba1324849513ffc10b6a359737f98c4d06770dc1954f8880daff938a06581e6f

  • memory/2116-276-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/2132-73-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB