22a8bd45fe17fe81ddd8f43dda235c4e16d18a430db8b2d812ad5ae30f925ac4

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/04/2024, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4d2f247040c44ec2471916c7792ea06_JaffaCakes118.exe
Size

147KB
MD5

c4d2f247040c44ec2471916c7792ea06
SHA1

b87219cc70a673b14022718745c066044c9a9fb2
SHA256

22a8bd45fe17fe81ddd8f43dda235c4e16d18a430db8b2d812ad5ae30f925ac4
SHA512

ea2d510ec3e5fef1670c9964b12dd276e8711685ca7edf2b5eee08c73acbdfe038a6d64d3279cfe2f65e73a38c91468e54202763542904b8e761472ac8d8cd22
SSDEEP

3072:2CMiqJl3v1S4AsvdhxBz8bNk/AKItB/pL/s9hlSLUFWzv:2CMzfM4vxBIO+XpDnUUzv

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
876	tbckyxk.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\tbckyxk.exe	c4d2f247040c44ec2471916c7792ea06_JaffaCakes118.exe
File created	C:\PROGRA~3\Mozilla\newtrln.dll	tbckyxk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 876	2364	taskeng.exe	31
PID 2364 wrote to memory of 876	2364	taskeng.exe	31
PID 2364 wrote to memory of 876	2364	taskeng.exe	31
PID 2364 wrote to memory of 876	2364	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\c4d2f247040c44ec2471916c7792ea06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c4d2f247040c44ec2471916c7792ea06_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
PID:2236

C:\Windows\system32\taskeng.exe
taskeng.exe {F0988B4D-09F6-4F78-A063-6641B58E5F7A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\PROGRA~3\Mozilla\tbckyxk.exe
  C:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\tbckyxk.exe

Filesize
147KB

MD5
7b0ad8a88330ab28bc835b7ef0dd6432

SHA1
b53b0f28ddb036adaa65557c6b4173f21593f475

SHA256
802e7365f28899be3a2ed5387360d2db9f22e452d8775f282bedf8aff1e114d7

SHA512
6fa67b5cdfe0bc64e6d4e4d27cedee9bfb3f3780422a3d318075df84eaa3b13c6414be8eefaeba0ae95362b65a9ed5f6e5a61d35d6141c1a181bf8001ffc298a

Download Submit
memory/876-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/876-11-0x00000000001B0000-0x000000000020B000-memory.dmp

Filesize
364KB

Download
memory/876-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2236-1-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2236-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download