2e55953f081dcca78557a5b8be0a7015b828b8ad013f3470ee4e432c7897f340

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-03-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
Size

68KB
MD5

26b2b049141a1121afd944b3b33681c2
SHA1

32df277749336581899f630bf11d36a70d68a592
SHA256

2e55953f081dcca78557a5b8be0a7015b828b8ad013f3470ee4e432c7897f340
SHA512

c52433eed1dbf78955c9358fdb4bf97dd3cd9a50eccb17d49426c8fda76805da70884bf662a274d69aef326af7714602c4234b388790fa1df65f230802500f2b
SSDEEP

1536:0txwjjK7lp27GjV3P1YVl3oyzrmg/t01fUS95vSVuE:kqjm+l4yzr9/t09US7SL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2820	vmtrwm.exe

Loads dropped DLL 1 IoCs

pid	Process
2820	vmtrwm.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vmtrwm.exe	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\vmtrwm.exe	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hra33.dll	vmtrwm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2820	vmtrwm.exe

Suspicious behavior: MapViewOfSection 43 IoCs

pid	Process
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe
2820	vmtrwm.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
Token: SeDebugPrivilege	2820	vmtrwm.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
2820	vmtrwm.exe
2820	vmtrwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 372	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	3
PID 2784 wrote to memory of 372	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	3
PID 2784 wrote to memory of 372	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	3
PID 2784 wrote to memory of 372	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	3
PID 2784 wrote to memory of 372	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	3
PID 2784 wrote to memory of 372	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	3
PID 2784 wrote to memory of 372	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	3
PID 2784 wrote to memory of 384	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	4
PID 2784 wrote to memory of 384	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	4
PID 2784 wrote to memory of 384	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	4
PID 2784 wrote to memory of 384	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	4
PID 2784 wrote to memory of 384	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	4
PID 2784 wrote to memory of 384	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	4
PID 2784 wrote to memory of 384	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	4
PID 2784 wrote to memory of 420	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	5
PID 2784 wrote to memory of 420	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	5
PID 2784 wrote to memory of 420	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	5
PID 2784 wrote to memory of 420	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	5
PID 2784 wrote to memory of 420	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	5
PID 2784 wrote to memory of 420	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	5
PID 2784 wrote to memory of 420	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	5
PID 2784 wrote to memory of 468	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	6
PID 2784 wrote to memory of 468	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	6
PID 2784 wrote to memory of 468	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	6
PID 2784 wrote to memory of 468	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	6
PID 2784 wrote to memory of 468	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	6
PID 2784 wrote to memory of 468	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	6
PID 2784 wrote to memory of 468	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	6
PID 2784 wrote to memory of 476	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	7
PID 2784 wrote to memory of 476	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	7
PID 2784 wrote to memory of 476	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	7
PID 2784 wrote to memory of 476	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	7
PID 2784 wrote to memory of 476	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	7
PID 2784 wrote to memory of 476	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	7
PID 2784 wrote to memory of 476	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	7
PID 2784 wrote to memory of 484	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	8
PID 2784 wrote to memory of 484	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	8
PID 2784 wrote to memory of 484	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	8
PID 2784 wrote to memory of 484	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	8
PID 2784 wrote to memory of 484	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	8
PID 2784 wrote to memory of 484	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	8
PID 2784 wrote to memory of 484	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	8
PID 2784 wrote to memory of 596	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	9
PID 2784 wrote to memory of 596	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	9
PID 2784 wrote to memory of 596	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	9
PID 2784 wrote to memory of 596	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	9
PID 2784 wrote to memory of 596	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	9
PID 2784 wrote to memory of 596	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	9
PID 2784 wrote to memory of 596	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	9
PID 2784 wrote to memory of 676	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	10
PID 2784 wrote to memory of 676	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	10
PID 2784 wrote to memory of 676	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	10
PID 2784 wrote to memory of 676	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	10
PID 2784 wrote to memory of 676	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	10
PID 2784 wrote to memory of 676	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	10
PID 2784 wrote to memory of 676	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	10
PID 2784 wrote to memory of 760	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	11
PID 2784 wrote to memory of 760	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	11
PID 2784 wrote to memory of 760	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	11
PID 2784 wrote to memory of 760	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	11
PID 2784 wrote to memory of 760	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	11
PID 2784 wrote to memory of 760	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	11
PID 2784 wrote to memory of 760	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	11
PID 2784 wrote to memory of 812	2784	26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe	12

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:468
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:2400
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:676
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:760
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:812
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1232
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:848
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:992
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:300
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:364
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1052
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1128
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:932
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\vmtrwm.exe
    C:\Windows\SysWOW64\vmtrwm.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2820
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:476
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\26b2b049141a1121afd944b3b33681c2_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vmtrwm.exe

Filesize
68KB

MD5
26b2b049141a1121afd944b3b33681c2

SHA1
32df277749336581899f630bf11d36a70d68a592

SHA256
2e55953f081dcca78557a5b8be0a7015b828b8ad013f3470ee4e432c7897f340

SHA512
c52433eed1dbf78955c9358fdb4bf97dd3cd9a50eccb17d49426c8fda76805da70884bf662a274d69aef326af7714602c4234b388790fa1df65f230802500f2b

Download Submit
\Windows\SysWOW64\hra33.dll

Filesize
7KB

MD5
7147ff24579a477a1a34696926e573f1

SHA1
9127ea8d813ecd5788b3f97777931ec79b7760e9

SHA256
fd08dcb016611316c849d48312ba6dc7d4de75d1a81c1d475a13bb5a1ba07267

SHA512
077b68376679c30d2dbae460ed59f5131c177bdd7574af1c2660ed97ae242b1401816d012af321c278be065b49bc9eab395e008b1b9a2447aa27b694bbed1d5d

Download Submit
memory/2784-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2784-1-0x0000000076EFF000-0x0000000076F00000-memory.dmp

Filesize
4KB

Download
memory/2784-2-0x0000000076F00000-0x0000000076F01000-memory.dmp

Filesize
4KB

Download
memory/2784-5-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2784-6-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/2820-16-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download