3664da756b5f6c4aed9f51adf42844883e3a78097b039eeeb79d628a385048cc

Analysis

max time kernel
142s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecdf7b90425e3bcd55d39d108b696e09_JaffaCakes118.exe
Size

193KB
MD5

ecdf7b90425e3bcd55d39d108b696e09
SHA1

220180d2ea7c4f676188f4f6715b72bc328e75ac
SHA256

3664da756b5f6c4aed9f51adf42844883e3a78097b039eeeb79d628a385048cc
SHA512

a40bce48f13fb13b2227c59572cf154c3b5c7b27404e3d4e59645d169dbd2b255370804f775c78406c95e669d4ea3c7134055c32a67050f67b6297da9e797dba
SSDEEP

6144:Trcc//////7iZV6gQt82y8fMh4j8SMC7wz:Trcc//////mZ8vt85h4g/

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2600	Hold-It-V2.exe

Loads dropped DLL 11 IoCs

pid	Process
2900	rundll32.exe
2900	rundll32.exe
2900	rundll32.exe
2900	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2492	WerFault.exe
2900	rundll32.exe
2900	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AMzdV\yspy = "rundll32 C:\\DOCUME~1\\AMzdV\\Sy5.dll,init"	rundll32.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\microsoft office\office14\$mehrdad.dat	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2492	2940	WerFault.exe	29

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2900	rundll32.exe
Token: SeSecurityPrivilege	2900	rundll32.exe
Token: SeTakeOwnershipPrivilege	2900	rundll32.exe
Token: SeLoadDriverPrivilege	2900	rundll32.exe
Token: SeSystemProfilePrivilege	2900	rundll32.exe
Token: SeSystemtimePrivilege	2900	rundll32.exe
Token: SeProfSingleProcessPrivilege	2900	rundll32.exe
Token: SeIncBasePriorityPrivilege	2900	rundll32.exe
Token: SeCreatePagefilePrivilege	2900	rundll32.exe
Token: SeShutdownPrivilege	2900	rundll32.exe
Token: SeDebugPrivilege	2900	rundll32.exe
Token: SeSystemEnvironmentPrivilege	2900	rundll32.exe
Token: SeRemoteShutdownPrivilege	2900	rundll32.exe
Token: SeUndockPrivilege	2900	rundll32.exe
Token: SeManageVolumePrivilege	2900	rundll32.exe
Token: 33	2900	rundll32.exe
Token: 34	2900	rundll32.exe
Token: 35	2900	rundll32.exe
Token: SeIncreaseQuotaPrivilege	2900	rundll32.exe
Token: SeSecurityPrivilege	2900	rundll32.exe
Token: SeTakeOwnershipPrivilege	2900	rundll32.exe
Token: SeLoadDriverPrivilege	2900	rundll32.exe
Token: SeSystemProfilePrivilege	2900	rundll32.exe
Token: SeSystemtimePrivilege	2900	rundll32.exe
Token: SeProfSingleProcessPrivilege	2900	rundll32.exe
Token: SeIncBasePriorityPrivilege	2900	rundll32.exe
Token: SeCreatePagefilePrivilege	2900	rundll32.exe
Token: SeShutdownPrivilege	2900	rundll32.exe
Token: SeDebugPrivilege	2900	rundll32.exe
Token: SeSystemEnvironmentPrivilege	2900	rundll32.exe
Token: SeRemoteShutdownPrivilege	2900	rundll32.exe
Token: SeUndockPrivilege	2900	rundll32.exe
Token: SeManageVolumePrivilege	2900	rundll32.exe
Token: 33	2900	rundll32.exe
Token: 34	2900	rundll32.exe
Token: 35	2900	rundll32.exe
Token: SeIncreaseQuotaPrivilege	2900	rundll32.exe
Token: SeSecurityPrivilege	2900	rundll32.exe
Token: SeTakeOwnershipPrivilege	2900	rundll32.exe
Token: SeLoadDriverPrivilege	2900	rundll32.exe
Token: SeSystemProfilePrivilege	2900	rundll32.exe
Token: SeSystemtimePrivilege	2900	rundll32.exe
Token: SeProfSingleProcessPrivilege	2900	rundll32.exe
Token: SeIncBasePriorityPrivilege	2900	rundll32.exe
Token: SeCreatePagefilePrivilege	2900	rundll32.exe
Token: SeShutdownPrivilege	2900	rundll32.exe
Token: SeDebugPrivilege	2900	rundll32.exe
Token: SeSystemEnvironmentPrivilege	2900	rundll32.exe
Token: SeRemoteShutdownPrivilege	2900	rundll32.exe
Token: SeUndockPrivilege	2900	rundll32.exe
Token: SeManageVolumePrivilege	2900	rundll32.exe
Token: 33	2900	rundll32.exe
Token: 34	2900	rundll32.exe
Token: 35	2900	rundll32.exe
Token: SeIncreaseQuotaPrivilege	2940	rundll32.exe
Token: SeSecurityPrivilege	2940	rundll32.exe
Token: SeTakeOwnershipPrivilege	2940	rundll32.exe
Token: SeLoadDriverPrivilege	2940	rundll32.exe
Token: SeSystemProfilePrivilege	2940	rundll32.exe
Token: SeSystemtimePrivilege	2940	rundll32.exe
Token: SeProfSingleProcessPrivilege	2940	rundll32.exe
Token: SeIncBasePriorityPrivilege	2940	rundll32.exe
Token: SeCreatePagefilePrivilege	2940	rundll32.exe
Token: SeShutdownPrivilege	2940	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2600	Hold-It-V2.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2900	2844	ecdf7b90425e3bcd55d39d108b696e09_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2900	2844	ecdf7b90425e3bcd55d39d108b696e09_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2900	2844	ecdf7b90425e3bcd55d39d108b696e09_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2900	2844	ecdf7b90425e3bcd55d39d108b696e09_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2900	2844	ecdf7b90425e3bcd55d39d108b696e09_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2900	2844	ecdf7b90425e3bcd55d39d108b696e09_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2900	2844	ecdf7b90425e3bcd55d39d108b696e09_JaffaCakes118.exe	28
PID 2900 wrote to memory of 2940	2900	rundll32.exe	29
PID 2900 wrote to memory of 2940	2900	rundll32.exe	29
PID 2900 wrote to memory of 2940	2900	rundll32.exe	29
PID 2900 wrote to memory of 2940	2900	rundll32.exe	29
PID 2900 wrote to memory of 2940	2900	rundll32.exe	29
PID 2900 wrote to memory of 2940	2900	rundll32.exe	29
PID 2900 wrote to memory of 2940	2900	rundll32.exe	29
PID 2940 wrote to memory of 1228	2940	rundll32.exe	21
PID 2940 wrote to memory of 2492	2940	rundll32.exe	30
PID 2940 wrote to memory of 2492	2940	rundll32.exe	30
PID 2940 wrote to memory of 2492	2940	rundll32.exe	30
PID 2940 wrote to memory of 2492	2940	rundll32.exe	30
PID 2900 wrote to memory of 2600	2900	rundll32.exe	31
PID 2900 wrote to memory of 2600	2900	rundll32.exe	31
PID 2900 wrote to memory of 2600	2900	rundll32.exe	31
PID 2900 wrote to memory of 2600	2900	rundll32.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\ecdf7b90425e3bcd55d39d108b696e09_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ecdf7b90425e3bcd55d39d108b696e09_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 C:\Users\Admin\AppData\Local\Temp\mydll.dll,DllRegisterServer
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 C:\DOCUME~1\AMzdV\Sy5.dll,init
      4⤵
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 288
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2492
  - - C:\Users\Admin\appdata\local\temp\Hold-It-V2.exe
      "C:\Users\Admin\appdata\local\temp\Hold-It-V2.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DOCUME~1\AMzdV\Sy5.dll

Filesize
306KB

MD5
8230e08ad70900dfb91feb35b790d4ce

SHA1
dbf7b023378705463b195f760c4a00bce5d626f2

SHA256
9a8fe650f226c4d8b26aba4cf632b1bf479d9deeb45c4a06c6bbb7af87b97551

SHA512
7da46843ef401ff5904e997b778ca87d566bc0ed83c53e460feee396f9c960b820e23c449d8219165ae2d1cdaf0b4993e1c9182245b80083f0aeecf21d25669a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mydll.dll

Filesize
443KB

MD5
ca3b03b7e17dcad3521b56ef0bbf9a7e

SHA1
162f17620167bef7c36304f0807fb76ab94f4461

SHA256
8d7add05a42b13e6b21470dcbd8d3a939f7eb007f068b91f8f76575fce3a0482

SHA512
ce481a126b71d229842f81a609d59d35f21710ceac94522bd185355229f1ddd622d4024101a029ec2cbe6735d70181770c48e3b824ac129f9f08c5aba510b675

Download Submit
\Users\Admin\AppData\Local\Temp\Hold-It-V2.exe

Filesize
136KB

MD5
6fc29009fcefb9471e1663226b086722

SHA1
b2ed5e1b987f16085dc1a58f4ab22e6845e3cf27

SHA256
6c523a0c7dcad7fe826c68dfaebf9e1cb8a92678581adb773b94ae9cd7906312

SHA512
bf3e61b85f8c38ce3ea11b90362e06850a3294bffca81896212c2da1567740f68abb0459f1abced6b3884c2712eca17b9eeea4d47b0a9d93e553b242a83878c2

Download Submit
memory/1228-19-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/2844-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2844-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2900-6-0x0000000000120000-0x00000000001A4000-memory.dmp

Filesize
528KB

Download
memory/2900-22-0x0000000000120000-0x00000000001A4000-memory.dmp

Filesize
528KB

Download
memory/2940-18-0x0000000000230000-0x0000000000292000-memory.dmp

Filesize
392KB

Download
memory/2940-23-0x0000000000230000-0x0000000000292000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads