4a226ecfd14165ea12e545a3d213ede583acbce889e48a7dcacbc0073483d5a7

Analysis

max time kernel
142s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5d0311b783bf0a277fb6083f79d689e_JaffaCakes118.exe
Size

407KB
MD5

f5d0311b783bf0a277fb6083f79d689e
SHA1

2c18126ea6c87b9c34b3af5ed1f532f9d68ab14a
SHA256

4a226ecfd14165ea12e545a3d213ede583acbce889e48a7dcacbc0073483d5a7
SHA512

088b386c3a0f9ddc7ba2a041257171341b4f9e54e8cef6fea17386304e88e87655f852fe02b1caaffd98d1a2da31fff0fd0fc67ff7bbe322687118e6019cc446
SSDEEP

1536:q5GJEhlcbW5sk1BlfLvveIbXWm+nwN6JEIZ2D0qePkrdPzE3RC19NEyzbzCzUksX:IGu9BlfzWIbXWm+w0JvVQpHNEkSzZsgs

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000a000000012272-2.dat	aspack_v212_v242
behavioral1/memory/2784-8-0x00000000001B0000-0x00000000001BB000-memory.dmp	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1556	FBHACK~1.EXE

Loads dropped DLL 3 IoCs

pid	Process
2784	f5d0311b783bf0a277fb6083f79d689e_JaffaCakes118.exe
2784	f5d0311b783bf0a277fb6083f79d689e_JaffaCakes118.exe
1556	FBHACK~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f5d0311b783bf0a277fb6083f79d689e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 1556	2784	f5d0311b783bf0a277fb6083f79d689e_JaffaCakes118.exe	28
PID 2784 wrote to memory of 1556	2784	f5d0311b783bf0a277fb6083f79d689e_JaffaCakes118.exe	28
PID 2784 wrote to memory of 1556	2784	f5d0311b783bf0a277fb6083f79d689e_JaffaCakes118.exe	28
PID 2784 wrote to memory of 1556	2784	f5d0311b783bf0a277fb6083f79d689e_JaffaCakes118.exe	28
PID 2784 wrote to memory of 1556	2784	f5d0311b783bf0a277fb6083f79d689e_JaffaCakes118.exe	28
PID 2784 wrote to memory of 1556	2784	f5d0311b783bf0a277fb6083f79d689e_JaffaCakes118.exe	28
PID 2784 wrote to memory of 1556	2784	f5d0311b783bf0a277fb6083f79d689e_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\f5d0311b783bf0a277fb6083f79d689e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5d0311b783bf0a277fb6083f79d689e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FBHACK~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FBHACK~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\FBHACK~1.EXE

Filesize
11KB

MD5
6d1ee359bb90d1fd7e4cc1a0269a9de0

SHA1
a49b5ec9e7c09626bad9549b29e77bd400ea335d

SHA256
9ce28617818c83a25847431e9bae3dfb074cfd07695741579c81fad9d132ea50

SHA512
2c12abf4422442a5961c939e2acb2abf887e273326f142296281fb3a12e9aee42bc047dc0256d0be49ea20bc072835cccc4e0cf9c6aaafe5bde87e1a10341414

Download Submit
memory/1556-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2784-12-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/2784-8-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads