Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 09:35

General

  • Target

    c073afd8de644949c2c3598230216a66_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    c073afd8de644949c2c3598230216a66

  • SHA1

    c057eb3365f7be929ffbaa6ffd29a58cea83b9f4

  • SHA256

    c6715ca98de9cdaf9e83c8b51d9e64ddbb17fdfb792dca1e8d5d90c167e8204d

  • SHA512

    346143dc5c765cda704370dfa5ac67ac40f573f8e51f294bcb1a060042af79dc639abf31d4bae1b129c5a97398a6be798ea01b6dcd79b83a827fc0c6c63952ae

  • SSDEEP

    49152:BZgu8rAi+3USz3h1/XBkThdTlpSuxQxN9dT4S9I:BGIjR1Oh0T0

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c073afd8de644949c2c3598230216a66_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\24436.bat" "C:\Users\Admin\AppData\Local\Temp\1768DDFB6C12481E9E8B48DF4F206E6D\""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 1000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1768DDFB6C12481E9E8B48DF4F206E6D\1768DDFB6C12481E9E8B48DF4F206E6D_LogFile.txt

    Filesize

    10KB

    MD5

    0afbd43579a9c07b24bfd1df3d9c5a91

    SHA1

    bd4719178500e5e0e0cae4747a16fba9effef5ac

    SHA256

    1bdbe06decceca9523823f1c9b2c34d1656152124ab4321888eada132e764f61

    SHA512

    4ff63efd5f820a5c5266a16c57f752ad074707680cf6036d1d812f12d7b39a9898ab9dc6c01e93aa164fa3399887898e6c7fa4ca199d60901bd138dfd4e779a4

  • C:\Users\Admin\AppData\Local\Temp\1768DDFB6C12481E9E8B48DF4F206E6D\1768DD~1.TXT

    Filesize

    120KB

    MD5

    80224460f59b41e96bcdc2f61f2cf089

    SHA1

    a974c29bfc8c4ae9b6baaa900e4b71ebb2eed947

    SHA256

    39133a3ef8637bd48a9f2ff3a1c43c50de7f975bf3d073a0940097f8be6a8166

    SHA512

    ce4d33895be10f3c0f29e5b08f924b40c11cfbfd54f39333b176d1631bd1c38f304fdf40126d15e782c406bd2b912514fb477b9440d54ac22d185223d372f1fb

  • C:\Users\Admin\AppData\Local\Temp\24436.bat

    Filesize

    212B

    MD5

    668767f1e0c7ff2b3960447e259e9f00

    SHA1

    32d8abf834cce72f5e845175a0af2513b00504d8

    SHA256

    cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

    SHA512

    c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

  • memory/2772-65-0x0000000000470000-0x0000000000471000-memory.dmp

    Filesize

    4KB