Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 02:59

General

  • Target

    815566cfa896c06cff241371523c4acd_JaffaCakes118.exe

  • Size

    10.1MB

  • MD5

    815566cfa896c06cff241371523c4acd

  • SHA1

    a0d3e1319f3790fea994396a5701b1b1b3c31239

  • SHA256

    67cc8e079c9f46aaa2c174288ca62ff8c2b790fd4168f816be736ef972a45816

  • SHA512

    1c34bdc22dbc21a1501940c5171128a6f77e66fb78aebf5ec3fd9c0316bc07ede9d0b7989fdfd58278c910f74d5acac2d0f3e7f1ed0cc483c94c0eca78bfc70b

  • SSDEEP

    196608:cmbZsMDGwfXB1MuUEMP4gGgeBGDF+KSwstsNOxsx54GTv3piOMHrIppUrqbr/WLc:jbXSwfoEMP4AeBKF+KSwstfxBsd1qvQx

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\815566cfa896c06cff241371523c4acd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\815566cfa896c06cff241371523c4acd_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Users\Admin\AppData\Local\Temp\Discord_server.exe
      "C:\Users\Admin\AppData\Local\Temp\Discord_server.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Users\Admin\AppData\Local\Temp\Discord_server.exe
        "C:\Users\Admin\AppData\Local\Temp\Discord_server.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1408
    • C:\Users\Admin\AppData\Local\Temp\jinn_is.exe
      "C:\Users\Admin\AppData\Local\Temp\jinn_is.exe"
      2⤵
      • Executes dropped EXE
      PID:2852

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\_MEI28482\python39.dll

          Filesize

          4.3MB

          MD5

          1d5e4c20a20740f38f061bdf48aaca4f

          SHA1

          de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0

          SHA256

          f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366

          SHA512

          9df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397

        • C:\Users\Admin\AppData\Local\Temp\jinn_is.exe

          Filesize

          151KB

          MD5

          0d4a53b05396e1e186439b2f22f3d684

          SHA1

          949f34684f891e98a709c06b4ec69a810a5ca5a9

          SHA256

          643518f0a7e0140b40c012836a4f505833773c56126dd40ea25c58ccde92b31f

          SHA512

          d2a18e51e70846f16c415b884304305a78b1ec878d040cd5afcee40af743dd19a526cfd77e5a5c73c78915a65979372209dccee1c97b702aeebdf83ef141bb4d

        • \Users\Admin\AppData\Local\Temp\Discord_server.exe

          Filesize

          10.1MB

          MD5

          5b7338c1936cbc02c96853782903990c

          SHA1

          42923983bd7d1f1cbce712839b1591d29496df62

          SHA256

          40bf4ccd73037c1b67201a9a4c521f3c5d3fc5a472a92985eb0082deaa22c7b8

          SHA512

          fc12c23744c1c514a9916a303cfd80c162028e8079c59f9625f64640b595607605c8a49395698c9bf32fbd5891dbaafd4c0d7b26af026a13ede58f205fcd0eb9

        • memory/2852-15-0x000000013FBC0000-0x000000013FBFC000-memory.dmp

          Filesize

          240KB

        • memory/2852-66-0x000000013FBC0000-0x000000013FBFC000-memory.dmp

          Filesize

          240KB