149d72fb1177b56a2f0f19f6c327e35e54be22adf5da69fae793d185d6a1ed9a

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 15:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.exe
Size

5.6MB
MD5

09d8b6a6f9b0af7e7231b59cb64a46a1
SHA1

b25351fce73919d3824fdd2878a5adcb04948708
SHA256

149d72fb1177b56a2f0f19f6c327e35e54be22adf5da69fae793d185d6a1ed9a
SHA512

1750d1da18b8191120911d6e825769756a2cb980509652e04abbf4be5859b38130b3f22b779faf21f4565a498b843c4701456736baefd8fcb216bfcd04f3708d
SSDEEP

98304:XJBOFuglWOg2Zwk0JEj1XNsouKr2l9Anj/SMB/dysaQqGWy:Nglm2Z/0JiXNJilM7SMhdyZQtWy

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ipinfo.io

Executes dropped EXE 1 IoCs

pid	Process
2320	09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.tmp

Loads dropped DLL 4 IoCs

pid	Process
1976	09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.exe
2320	09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.tmp
2320	09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.tmp
2320	09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2320	09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2320	09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2320	1976	09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.exe	28
PID 1976 wrote to memory of 2320	1976	09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.exe	28
PID 1976 wrote to memory of 2320	1976	09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.exe	28
PID 1976 wrote to memory of 2320	1976	09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.exe	28
PID 1976 wrote to memory of 2320	1976	09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.exe	28
PID 1976 wrote to memory of 2320	1976	09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.exe	28
PID 1976 wrote to memory of 2320	1976	09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\is-0A6AI.tmp\09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0A6AI.tmp\09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.tmp" /SL5="$40154,5394585,424448,C:\Users\Admin\AppData\Local\Temp\09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-0A6AI.tmp\09d8b6a6f9b0af7e7231b59cb64a46a1_JaffaCakes118.tmp

Filesize
1.0MB

MD5
ab126f7f9ff2e7902ff2bbdc1a6d3158

SHA1
e70931b8db1b8138f80b1520e2ac694cdf4d1e24

SHA256
89d0cfa56bacc7981227bf45e2983dd6bff5baa359ebf756ef2b171b5668e515

SHA512
9790f0b324c8e580f42ccbf02a5289155ac7b5fc7215115922d91fd4dbcb63edf0da7ff3cf8da3d07e91a9621c7d38d757a130bc5f117244dd459c2793a8fc1e

Download Submit
\Users\Admin\AppData\Local\Temp\is-8PUSO.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-8PUSO.tmp\inno_analytics.dll

Filesize
1.0MB

MD5
7bcdc00cc5b24f088ebe767865736ae0

SHA1
8c2a2161db936291d9444850e03aaa93d76d1db0

SHA256
2dd671444b4213f09fa902d415a4d16cfd28eda780fd1128017311f6637ed1ac

SHA512
803a1561fa81d83b7913251676d362cd6ed4f7f3eaf5d87e0026680ac16fa90d9aabc0f7858fc9ad101366d3dda0ba58a358e8d576411ef7afd388fe2be8b280

Download Submit
memory/1976-1-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1976-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2320-24-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2320-17-0x0000000002030000-0x0000000002145000-memory.dmp

Filesize
1.1MB

Download
memory/2320-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2320-26-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2320-27-0x0000000002030000-0x0000000002145000-memory.dmp

Filesize
1.1MB

Download
memory/2320-31-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2320-32-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2320-47-0x0000000002030000-0x0000000002145000-memory.dmp

Filesize
1.1MB

Download