eadf6bdd0931c2489b356ae6311f095dcf2b11858ca6d663f97499cf5c259116

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe
Size

161KB
MD5

fdd35025d303363a1a51b4baef1a3ca7
SHA1

eb082f5ac48b5364a6822c282f21e5d9ffcc9c6e
SHA256

eadf6bdd0931c2489b356ae6311f095dcf2b11858ca6d663f97499cf5c259116
SHA512

2c8df353b77eadc28af5b0399253db43a9697f379eeaff990a1866df66519d5957a559796fd916d3ce7da8fb4908c31246a15062e4a9e1b2aceafd33e20df36e
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/e8O:o68i3odBiTl2+TCU/k

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SHARE_TEMP\Icon6.ico	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe
File created	C:\Windows\winhash_up.exez	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe
File created	C:\Windows\winhash_up.exe	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon13.ico	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe
File created	C:\Windows\bugMAKER.bat	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe
File opened for modification	C:\Windows\winhash_up.exez	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2668	2212	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2668	2212	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2668	2212	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2668	2212	fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdd35025d303363a1a51b4baef1a3ca7_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\bugMAKER.bat
  2⤵
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
90B

MD5
0fb68de4ae2dcbd200cda3a985138b24

SHA1
91c20f33ee98f025fd27cf7c3543ed928ded4e26

SHA256
7e78eddcd57eee22bd68a36ebeaf8b3d62a4dad6020d31e165663e582c145ccc

SHA512
009dda03ef1be1b18f81a84388d24b7f7cfe96c5388daa1cdc54b512bdebd5ab5eb7b9097a479ec22f2f86b7db2b4979c21d1e448aaa316af3c760fbe8a706e6

Download Submit
memory/2212-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2668-62-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads