Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 21:34

General

  • Target

    0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe

  • Size

    12KB

  • MD5

    0c8a4921849df0046bea3b9dbefd80f9

  • SHA1

    8a618e17320d10f486861babb4feaede3898f2c2

  • SHA256

    633e54c489c854ad722253551e490e4435e3d9c9e002da12bbcc0de1509c540e

  • SHA512

    e3793852c094d5c81684af548388bccd199c5dcbc05bba9b63123a0a92cfbb85ec1208e26a175965f51ca1fa6d36c152ab5af279d621909cf03de65b17e7633e

  • SSDEEP

    192:en31R5Fhp8cdwpHR3AkPLiM79mLU2PcSe8hcqm:oj5FZdgAkTiM79mgLSeScqm

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Users\Admin\AppData\Local\Temp\B886.tmp\b2e.exe
      "C:\Users\Admin\AppData\Local\Temp\B886.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\B886.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\0c8a4921849df0046bea3b9dbefd80f9_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\B8F3.tmp\batchfile.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2040
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\B886.tmp\b2e.exe

    Filesize

    8KB

    MD5

    67a3e740cb73c0dcd5c4224151710cbd

    SHA1

    7b6a87ab57da93831b193761259389827fa2efa8

    SHA256

    1667cb62909b1de21dc1345a9c16c520866d77d6c0b6759c51fd4fc725bdbe28

    SHA512

    70ec8f783caaf017b2dd4f8a89a1d330c6369ba5d7fd6b1bbdb0193e59e72974bcd2a6fb22c812ddf0ac4f9064e9d879456eb8c70fb874285ba7685cc0fad1e8

  • C:\Users\Admin\AppData\Local\Temp\B8F3.tmp\batchfile.bat

    Filesize

    23B

    MD5

    5daa75bbb8b5c960fe4a28884fad5910

    SHA1

    14c1b355026ea8e7b8832de5da56fdc650219971

    SHA256

    96a334105f778dd15e94f8b4db6ba28222d466e9d4b26321dabff8d64d3fe9d0

    SHA512

    e768c1edda162e1ce894934ac5649b04bc4bcb331aef3c7ee93cb3e50db3df2f3439a2de757dde4c41f1127619a4ded7c790ba3d36a0df5475f79a78ea59f16b

  • C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

    Filesize

    158B

    MD5

    9c1fc7f81e97690e0be85fc0462623f5

    SHA1

    0a9fc59bd80e4cecc69cded465ee10af334605f5

    SHA256

    380db357eb459ecef1f80b435520ba488c084c07ae2335899cb8590ff51d4319

    SHA512

    0181f2b0f125d9bc2cce3b7f51314213ee66328bd4352e31f9f0f6dcbc7a08984c97cb06e6cda7814a78d278f1b7493c1283c767e0d526a421cb2848879501a6

  • memory/1932-9-0x0000000000400000-0x0000000000406000-memory.dmp

    Filesize

    24KB

  • memory/3068-10-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

  • memory/3068-35-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB