ba15f4cc631a4e662256bb24b26c911b4be12b903889f1cb50fe9315b8b78a9d

Analysis

max time kernel
140s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0d46f44af2962077f940cef9db0c933_JaffaCakes118.exe
Size

192KB
MD5

f0d46f44af2962077f940cef9db0c933
SHA1

3749aa7a970915013a1383f9f91932fb19d16a75
SHA256

ba15f4cc631a4e662256bb24b26c911b4be12b903889f1cb50fe9315b8b78a9d
SHA512

659570b5917cb8771a3b75d143230ac10709da4bc59a59d0f3c5ddd47b038df8b617e9b2f6cb742080f0ff95e9cf4ec870ed71ebb799291fde5eb06ff8733a25
SSDEEP

3072:RPhkEF+DGE6NeMSGoLni07oJdFCKK5FmDMP5:RpkEF+DGEoeNGoLni07oJdFCt34MP

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "c:\\windows\\SSMS.EXE"	f0d46f44af2962077f940cef9db0c933_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\volks.dll	f0d46f44af2962077f940cef9db0c933_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\volks.dll	f0d46f44af2962077f940cef9db0c933_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\volks2.dll	f0d46f44af2962077f940cef9db0c933_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\volks2.dll	f0d46f44af2962077f940cef9db0c933_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SSMS.EXE	f0d46f44af2962077f940cef9db0c933_JaffaCakes118.exe
File created	\??\c:\windows\SSMS.EXE	f0d46f44af2962077f940cef9db0c933_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1640	f0d46f44af2962077f940cef9db0c933_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f0d46f44af2962077f940cef9db0c933_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0d46f44af2962077f940cef9db0c933_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SSMS.EXE

Filesize
192KB

MD5
f0d46f44af2962077f940cef9db0c933

SHA1
3749aa7a970915013a1383f9f91932fb19d16a75

SHA256
ba15f4cc631a4e662256bb24b26c911b4be12b903889f1cb50fe9315b8b78a9d

SHA512
659570b5917cb8771a3b75d143230ac10709da4bc59a59d0f3c5ddd47b038df8b617e9b2f6cb742080f0ff95e9cf4ec870ed71ebb799291fde5eb06ff8733a25

Download Submit
C:\Windows\SysWOW64\volks.dll

Filesize
1.1MB

MD5
2ee1e467d73642afddb03019f58c252b

SHA1
ea1f3b03f46db029a955190692cecbc571e1d46c

SHA256
5a7d5dafe22082b3ed035d640578ed7b5005edfe80e5c911774ec77a2caff1b3

SHA512
3482715d7c9adbfe61f7834120d1a8fce47ae5d70add285ddcfe8802a5d4a95ae00ae82079b9b9639c5d4fa5126ecfc61e1b09a141c0fea86926e26fc22f9082

Download Submit
C:\Windows\SysWOW64\volks2.dll

Filesize
12.3MB

MD5
16ab4bd2acc52109f43739bf0e89e18f

SHA1
1ba58d221a2c95178ae479affc29585b3a37bd01

SHA256
8bf53004f8a413598b46c2ecfba1ea581836e0e0839047471622f31a4a065dd7

SHA512
fda093172bebaedcfe99946611414a3fa44d288c0e2c9aee6c2c0ed97f699e3bd7c4bb9b48712db938652084d38010b5f4c6041f69765a1293d197fa8ba59fd6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads