ff9baa42ef609f8a98ecf91502c6c6c4eaf9cb65e6d1e64d8ed406d2c867b01d

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 03:27

Target

3d8b4fda29a94abad1e5d87881f53310_JaffaCakes118.lnk
Size

790B
MD5

3d8b4fda29a94abad1e5d87881f53310
SHA1

52c637834d3645ee69103d5381bdaec4ad9f8844
SHA256

ff9baa42ef609f8a98ecf91502c6c6c4eaf9cb65e6d1e64d8ed406d2c867b01d
SHA512

f2c06b8658664c386a045b778dcf4197a3195d3c5b061b4b51ef02e2be687cab1e89f7e6604e49c538cac91f2c4164267ae53a0605504830492db9de3f5543b3

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2748	1880	cmd.exe	32
PID 1880 wrote to memory of 2748	1880	cmd.exe	32
PID 1880 wrote to memory of 2748	1880	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\3d8b4fda29a94abad1e5d87881f53310_JaffaCakes118.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" I:\DOCUME~1\ALLUSE~1\APPLIC~1\ldei.dat,FG00
  2⤵
  PID:2748

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact