Analysis

  • max time kernel
    133s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17-10-2024 21:14

General

  • Target

    53c458b4ed395f5b0d39bdc8834915b6_JaffaCakes118.exe

  • Size

    14KB

  • MD5

    53c458b4ed395f5b0d39bdc8834915b6

  • SHA1

    cbe66c2b4c92ca1cc80a74199d6d8da8fe481d40

  • SHA256

    5ebfae04ff09cc0126a86bce3c42e01bce6aca4dd87a63c9663a347e52ade99d

  • SHA512

    3aa09a1faeab3854ccc09c3cbebfdc70e1b9c613ccc8984ab0e2b462305af5e7c02c411b9da181b22717ba93286419510cc30ed8b8d07a96ab7087d83d5b2c46

  • SSDEEP

    384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhRa:hDXWipuE+K3/SSHgxO

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53c458b4ed395f5b0d39bdc8834915b6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\53c458b4ed395f5b0d39bdc8834915b6_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\DEMDEDA.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMDEDA.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Users\Admin\AppData\Local\Temp\DEM369A.exe
        "C:\Users\Admin\AppData\Local\Temp\DEM369A.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Users\Admin\AppData\Local\Temp\DEM8D42.exe
          "C:\Users\Admin\AppData\Local\Temp\DEM8D42.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2376
          • C:\Users\Admin\AppData\Local\Temp\DEME447.exe
            "C:\Users\Admin\AppData\Local\Temp\DEME447.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1316
            • C:\Users\Admin\AppData\Local\Temp\DEM3ACF.exe
              "C:\Users\Admin\AppData\Local\Temp\DEM3ACF.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:324
              • C:\Users\Admin\AppData\Local\Temp\DEM90EA.exe
                "C:\Users\Admin\AppData\Local\Temp\DEM90EA.exe"
                7⤵
                • Executes dropped EXE
                PID:2276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DEM369A.exe

    Filesize

    14KB

    MD5

    c984827a7f8adc5f88fea4b2884e6f2d

    SHA1

    36a132d2fdc9759b90012e4f3b0ef35e23b7df6c

    SHA256

    9f011a3e655a40fc20a4fe0fbdf650ef89d78cd2a09e7a1fd669212198d01f1c

    SHA512

    6ceb4cd1bbddf88fda018b5445a13531313c5b909d5000ded4625384facd14f92837849005b7ffbb499ef1cfbc3b42e3d172ce9cff8036d839b714a23743e212

  • \Users\Admin\AppData\Local\Temp\DEM3ACF.exe

    Filesize

    14KB

    MD5

    eeacb95b3f98829e55e9745b8273a96c

    SHA1

    eb2306bafacc1012a86ca47a8834e7adb302a651

    SHA256

    0b49a5cf7be1facd12f66ab47e8e15a4f28ae5060c430fdcba731c475cd5264b

    SHA512

    8fb80f9d2ec3bcb84cd4ba040b47177751f9f1170d1eeb7053fbc13a5a6b771ec155f6dbce39662f5d2df64c8ece97d39203eb750406d49f89509200f85a7bad

  • \Users\Admin\AppData\Local\Temp\DEM8D42.exe

    Filesize

    14KB

    MD5

    bf523761282ea93c0867b2d16111775f

    SHA1

    04b630bb819398c200f956781e0f11a365eca8ea

    SHA256

    0e69d4fb92a0864a9d89d40275bc2780e38fe6c87b4fef5f87cb29cda09b2139

    SHA512

    6ebec18fba43252ccd49e373def401238c06c4af0980aed0508e92cd3d11f7c8e21ce6fc271ebcdacacf394817d08f8bf2a65c69b3de9c1557d22191d40092b8

  • \Users\Admin\AppData\Local\Temp\DEM90EA.exe

    Filesize

    14KB

    MD5

    45efe3ff004f5a5f4522c8bcf0d0f118

    SHA1

    d35faca5a2fde06c47deaead5efccb61f31aba3e

    SHA256

    e0a839dd84a9d5a7b661d5e72347d20660dbcc8c6302b0f8597184ac54944001

    SHA512

    c82f6558ad561ae74a71a5211542f3eae12c4242e1f8e2a837be31b33091b80c917293095a6cacc6503f5563e6f370d05bc4610ecaf025125b2f93f65e864349

  • \Users\Admin\AppData\Local\Temp\DEMDEDA.exe

    Filesize

    14KB

    MD5

    524f0d6ee572ddd90ac64046c0cdc9d7

    SHA1

    aa8487e77201457b7b212862038f6599814c67c3

    SHA256

    c661a56118223a5a13fa9d7ec8492882c6f0fe5c0f3c7cff7a130b6645ab31c3

    SHA512

    3643c999f877ff86a1f8b9059234d0fd4a8c159e24aff38e611f9faf2f9e2788d88bd9ad6500a2352e9057eac3b1d83022ecb865bd4d0a255426b2256500c492

  • \Users\Admin\AppData\Local\Temp\DEME447.exe

    Filesize

    14KB

    MD5

    164243472db130578839b38b64279b4c

    SHA1

    09697deeb318ebc76d5f718704726c04e14a3ced

    SHA256

    2be7554ed02b8a35edbe201d985007670ee306660c61aad75b87ee87a05f0640

    SHA512

    32b9a8ca214fccea0ded5f9b110069e61d0f81d3d79839d2e23229bfd5c34cda1dc7561486a5592ff761eccd4cc0076d696e2a0cab1d147e6967fa8bf5f9382f