43de6a5a18edb9a4603436ea3e5ec8359464132b5f2746330f01c2dea2fdb668

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 03:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fbd18bd5a62ed3061d44210f6d380464_JaffaCakes118.exe
Size

3.8MB
MD5

fbd18bd5a62ed3061d44210f6d380464
SHA1

fc82510062e5e22491d4b7bd06f6dc1677e88679
SHA256

43de6a5a18edb9a4603436ea3e5ec8359464132b5f2746330f01c2dea2fdb668
SHA512

9a69ef8e46f41ce5ce46b5f5cfade142e1fda93857d9400aa681da5130e3ea4a073ff9bb689c36b6853192d3bed22d112f6ece8f4b9dd68342daf93455139804
SSDEEP

98304:PR1zAJDWDGrMBomTVF2Jpn3u8G97PaZL:51zmica7K8Fra

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2064	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windowsupdate = "C:\\Arquivos de programas\\Windowsupdate.exe"	fbd18bd5a62ed3061d44210f6d380464_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Menu Iniciar\Iniciar\Windowsupdate.exe	fbd18bd5a62ed3061d44210f6d380464_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2960	fbd18bd5a62ed3061d44210f6d380464_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2064	2960	fbd18bd5a62ed3061d44210f6d380464_JaffaCakes118.exe	28
PID 2960 wrote to memory of 2064	2960	fbd18bd5a62ed3061d44210f6d380464_JaffaCakes118.exe	28
PID 2960 wrote to memory of 2064	2960	fbd18bd5a62ed3061d44210f6d380464_JaffaCakes118.exe	28
PID 2960 wrote to memory of 2064	2960	fbd18bd5a62ed3061d44210f6d380464_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\fbd18bd5a62ed3061d44210f6d380464_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbd18bd5a62ed3061d44210f6d380464_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Arquivos de programas\Windowsupdate.exe RPC
  2⤵
  - Modifies Windows Firewall
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2960-0-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2960-1-0x0000000000400000-0x0000000000E36000-memory.dmp

Filesize
10.2MB

Download
memory/2960-2-0x0000000000400000-0x0000000000E36000-memory.dmp

Filesize
10.2MB

Download
memory/2960-3-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2960-4-0x0000000000400000-0x0000000000E36000-memory.dmp

Filesize
10.2MB

Download
memory/2960-5-0x0000000000400000-0x0000000000E36000-memory.dmp

Filesize
10.2MB

Download
memory/2960-6-0x0000000000400000-0x0000000000E36000-memory.dmp

Filesize
10.2MB

Download
memory/2960-7-0x0000000000400000-0x0000000000E36000-memory.dmp

Filesize
10.2MB

Download
memory/2960-8-0x0000000000400000-0x0000000000E36000-memory.dmp

Filesize
10.2MB

Download
memory/2960-9-0x0000000000400000-0x0000000000E36000-memory.dmp

Filesize
10.2MB

Download
memory/2960-10-0x0000000000400000-0x0000000000E36000-memory.dmp

Filesize
10.2MB

Download
memory/2960-11-0x0000000000400000-0x0000000000E36000-memory.dmp

Filesize
10.2MB

Download
memory/2960-12-0x0000000000400000-0x0000000000E36000-memory.dmp

Filesize
10.2MB

Download
memory/2960-13-0x0000000000400000-0x0000000000E36000-memory.dmp

Filesize
10.2MB

Download
memory/2960-14-0x0000000000400000-0x0000000000E36000-memory.dmp

Filesize
10.2MB

Download
memory/2960-15-0x0000000000400000-0x0000000000E36000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads