2e5f1b59d27d3fda9cef7d1e0d3243026bc8d22a108197f250337ae295d55b47

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe
Size

199KB
MD5

f1a4267ce37c0b474c4fa3e81dedccaf
SHA1

dd44f43f7cacc0585eeec54d47cecb46084b5d42
SHA256

2e5f1b59d27d3fda9cef7d1e0d3243026bc8d22a108197f250337ae295d55b47
SHA512

41d95d6f3c6b2e046bb095d2bb83243f71954a35702d89398b00e1426bd6eeaceb570f053babb07e2980f5ead9e4417987680e7ed277d9e98cf42f5d67b9bde7
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/B87pj7kgnYg:o68i3odBiTl2+TCU/W7k8b

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\winhash_up.exez	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe
File created	C:\Windows\winhash_up.exe	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe
File opened for modification	C:\Windows\winhash_up.exez	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon6.ico	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon13.ico	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe
File created	C:\Windows\bugMAKER.bat	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2628	2072	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe	28
PID 2072 wrote to memory of 2628	2072	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe	28
PID 2072 wrote to memory of 2628	2072	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe	28
PID 2072 wrote to memory of 2628	2072	f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1a4267ce37c0b474c4fa3e81dedccaf_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\bugMAKER.bat
  2⤵
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
90B

MD5
c7f023b18cd93403180e8e8e9badb197

SHA1
5945a1142034b7eaf30c29ad2d12ec05653457fc

SHA256
c98bd87501b236293ff3016cca7645f9cd0bce2445ecd3a9fc2cc928d9523174

SHA512
4dfd48655198a9484382b77ff9afb2908d0ecdb13af3a779ea8410ff8fc1ac11189a0aea7d351d25ca6c7d034bcf5a686ee49c18385cf70b6f5bb5df66570b5e

Download Submit
memory/2072-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2628-62-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads