890c9830635eb1674ed15a65790905fbe3ad80eb087ee7433e6da159ddc5cb00

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-04-2024 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a716d9eeea5b456cfdec69a1b34ccc96_JaffaCakes118.exe
Size

985KB
MD5

a716d9eeea5b456cfdec69a1b34ccc96
SHA1

e757774843c0305a05ee18159f180ae71511c45b
SHA256

890c9830635eb1674ed15a65790905fbe3ad80eb087ee7433e6da159ddc5cb00
SHA512

d5516c9b71a21db1867c7861ec472626de5969bf1293eea7a8964830401435cc0b73f9673e768b6652a8611a539331911aa3df6527c3a5daf61cf43ac25a1104
SSDEEP

24576:yQHyDJBjAObi4M2rIDTU4fmj6J/d28+buJqQlxTB8mv:yQSdBfbiyrIDovj6ldnkQlVB3

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2640	winlogon.com
2804	winlogon.com

Loads dropped DLL 3 IoCs

pid	Process
2224	cmd.exe
2640	winlogon.com
2804	winlogon.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a716d9eeea5b456cfdec69a1b34ccc96_JaffaCakes118.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2908	PING.EXE
2808	PING.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2640	winlogon.com
2640	winlogon.com
2640	winlogon.com
2804	winlogon.com
2804	winlogon.com
2804	winlogon.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2640	winlogon.com
2640	winlogon.com
2640	winlogon.com
2804	winlogon.com
2804	winlogon.com
2804	winlogon.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1684	1288	a716d9eeea5b456cfdec69a1b34ccc96_JaffaCakes118.exe	28
PID 1288 wrote to memory of 1684	1288	a716d9eeea5b456cfdec69a1b34ccc96_JaffaCakes118.exe	28
PID 1288 wrote to memory of 1684	1288	a716d9eeea5b456cfdec69a1b34ccc96_JaffaCakes118.exe	28
PID 1288 wrote to memory of 1684	1288	a716d9eeea5b456cfdec69a1b34ccc96_JaffaCakes118.exe	28
PID 1684 wrote to memory of 2224	1684	cmd.exe	30
PID 1684 wrote to memory of 2224	1684	cmd.exe	30
PID 1684 wrote to memory of 2224	1684	cmd.exe	30
PID 1684 wrote to memory of 2224	1684	cmd.exe	30
PID 2224 wrote to memory of 2908	2224	cmd.exe	31
PID 2224 wrote to memory of 2908	2224	cmd.exe	31
PID 2224 wrote to memory of 2908	2224	cmd.exe	31
PID 2224 wrote to memory of 2908	2224	cmd.exe	31
PID 2224 wrote to memory of 2536	2224	cmd.exe	32
PID 2224 wrote to memory of 2536	2224	cmd.exe	32
PID 2224 wrote to memory of 2536	2224	cmd.exe	32
PID 2224 wrote to memory of 2536	2224	cmd.exe	32
PID 2224 wrote to memory of 2640	2224	cmd.exe	33
PID 2224 wrote to memory of 2640	2224	cmd.exe	33
PID 2224 wrote to memory of 2640	2224	cmd.exe	33
PID 2224 wrote to memory of 2640	2224	cmd.exe	33
PID 2224 wrote to memory of 2808	2224	cmd.exe	34
PID 2224 wrote to memory of 2808	2224	cmd.exe	34
PID 2224 wrote to memory of 2808	2224	cmd.exe	34
PID 2224 wrote to memory of 2808	2224	cmd.exe	34
PID 2640 wrote to memory of 2804	2640	winlogon.com	35
PID 2640 wrote to memory of 2804	2640	winlogon.com	35
PID 2640 wrote to memory of 2804	2640	winlogon.com	35
PID 2640 wrote to memory of 2804	2640	winlogon.com	35
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36
PID 2804 wrote to memory of 2296	2804	winlogon.com	36

C:\Users\Admin\AppData\Local\Temp\a716d9eeea5b456cfdec69a1b34ccc96_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a716d9eeea5b456cfdec69a1b34ccc96_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < URirtTcZTgDGUQbemk.com
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 EQcI.sDZ
      4⤵
      Runs ping.exe
      PID:2908
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -decode wFhAqQFeTfPmKWtV.com H
      4⤵
      PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.com
      winlogon.com H
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.com H
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.com
        6⤵
        
        PID:2296
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\H

Filesize
493KB

MD5
9524d7b3a00ece4d4fa333165f539c9e

SHA1
ee1afa76cb6e29db17764b9984f0bc594102fd62

SHA256
251156300dc58346dafbe4547985647b1c624dde9dac7f303019ccad42c096c4

SHA512
32b5d434506725eaf7f7f7729097ddec529881e633ddecddc065611c303d4b92d3d027e71a4a887eb27df3b36e4519baba563b24303ba65ccfae1cb65fe364c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\URirtTcZTgDGUQbemk.com

Filesize
358B

MD5
849f5d7dea7512855df4aa0efa683d46

SHA1
cb8f34c8696a9905383649d39e6fb4470f2b3b15

SHA256
337c2d3990188ce1ac1e225b586270da3d49e9c12e9e6a78b4c693e0fa3bdc69

SHA512
1809c3f641fe34cca73a58e6da4dad458f24f3eb22188aa6f545fc310efeb0dd4811797ba8f2df43fa79b38d08331f5b7920ecec9126f855a48395371fff4ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZOECwPkNX.com

Filesize
921KB

MD5
df6fbc5de331f39be67e2b343ff02083

SHA1
2791147f5aba7d5242d531f0444695b9fecb3c42

SHA256
ccefe3c453a32c04dd03e835879aceae0b96e7d25359dc05a8cfa7a880c21936

SHA512
35e1b55975104e9ddf24fc2842848f63c954f6e69bf8a4df370caaad43ff01f259fbd4e96e45bcbd2287192551afa3df5f9ad8726a3331d80a9c53fa558bf8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jtLmogvJ.com

Filesize
200KB

MD5
92d41846075c70c50db6181bd85ef622

SHA1
7ae2891bbc3d4c81eb3c214e0f0e6fa1071381fb

SHA256
3599a4a60536804cc36edd8acb49861799892870ed728eea898fda2eff14074f

SHA512
ab5d92242cffc2787a503cf708bd5a89dabc60f7a5c039b1b940e415d9ddb02f7987855cff5417777e1375160fa5ef524acf187995f0ca30b2d0c931c25483c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wFhAqQFeTfPmKWtV.com

Filesize
678KB

MD5
956bdc5c52451334027c30a37df6623c

SHA1
b2cac7317ab6c52f72034d9d08bcc39d58ea08b6

SHA256
8554810aa4cd6aaf265bcb0f53a77bda66318d2d8654b1942f5b8e5ed8ae6e31

SHA512
8f519cd12517552ea04873b1dae65bb4a24d5ab2fab24dedf5e06c36837fb5931602091c046ac96fe55ce7424ecdf4288c2a516e1e1449c646fd39664aed9f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/2296-24-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-26-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-27-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-28-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-29-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-30-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-31-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-32-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-33-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-34-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-35-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-37-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-36-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-38-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-39-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-40-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-41-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-42-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-43-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-44-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-45-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-46-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-47-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-48-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-49-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-50-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-51-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-52-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-53-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-54-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-55-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-56-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-57-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-58-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-59-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-60-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-61-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-62-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-63-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-64-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-65-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-66-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-67-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-68-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-69-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-70-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-71-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-72-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-73-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-74-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-75-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-76-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-77-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-78-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-80-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-82-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-84-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-86-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2296-88-0x0000000000A20000-0x0000000001A20000-memory.dmp

Filesize
16.0MB

Download
memory/2804-25-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads