774a06ee0917bab638b98728742962cc11d409d5fc4f6ed5194a9c64a5f2cc2d

Analysis

max time kernel
138s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe
Size

94KB
MD5

fc751a15219828b9113b4e65e0c297f8
SHA1

80600491c2ec6804a336d7c81360d234ed471fb0
SHA256

774a06ee0917bab638b98728742962cc11d409d5fc4f6ed5194a9c64a5f2cc2d
SHA512

719fd3509d65f05ca797e09733069cca9d33531b441124422db5a4dc61e82b8ef53a51f80a33d143533910a3877c83d8337240dda070277af891b527f21d9016
SSDEEP

1536:wAdSRwm/V4skJaw/Z4Rofy+fRkjTb5TnqY0rKFm070Ck5nGVvTqnqy9RlqGVv1:wyewmN4skJaU4ZBjX5TnqYCKFmlorqqI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2052	register.exe

Loads dropped DLL 5 IoCs

pid	Process
2032	fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe
2032	fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe
2052	register.exe
2052	register.exe
2052	register.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yemdc.exe	register.exe
File opened for modification	C:\Windows\SysWOW64\yemdc.exe	register.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2052 set thread context of 2200	2052	register.exe	29
PID 2052 set thread context of 2880	2052	register.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\HQ Codec\register.exe	fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe
File created	C:\Program Files (x86)\HQ Codec\register.exe	fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 5 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2716	ipconfig.exe
2520	ipconfig.exe
2492	ipconfig.exe
2412	ipconfig.exe
2556	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2052	register.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2032	fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2052	2032	fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe	28
PID 2032 wrote to memory of 2052	2032	fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe	28
PID 2032 wrote to memory of 2052	2032	fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe	28
PID 2032 wrote to memory of 2052	2032	fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe	28
PID 2032 wrote to memory of 2052	2032	fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe	28
PID 2032 wrote to memory of 2052	2032	fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe	28
PID 2032 wrote to memory of 2052	2032	fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe	28
PID 2052 wrote to memory of 2200	2052	register.exe	29
PID 2052 wrote to memory of 2200	2052	register.exe	29
PID 2052 wrote to memory of 2200	2052	register.exe	29
PID 2052 wrote to memory of 2200	2052	register.exe	29
PID 2052 wrote to memory of 2200	2052	register.exe	29
PID 2052 wrote to memory of 2200	2052	register.exe	29
PID 2052 wrote to memory of 2200	2052	register.exe	29
PID 2052 wrote to memory of 2200	2052	register.exe	29
PID 2052 wrote to memory of 2880	2052	register.exe	30
PID 2052 wrote to memory of 2880	2052	register.exe	30
PID 2052 wrote to memory of 2880	2052	register.exe	30
PID 2052 wrote to memory of 2880	2052	register.exe	30
PID 2052 wrote to memory of 2880	2052	register.exe	30
PID 2052 wrote to memory of 2880	2052	register.exe	30
PID 2052 wrote to memory of 2880	2052	register.exe	30
PID 2052 wrote to memory of 2880	2052	register.exe	30
PID 2200 wrote to memory of 2716	2200	iexplore.exe	31
PID 2200 wrote to memory of 2716	2200	iexplore.exe	31
PID 2200 wrote to memory of 2716	2200	iexplore.exe	31
PID 2200 wrote to memory of 2716	2200	iexplore.exe	31
PID 2200 wrote to memory of 2716	2200	iexplore.exe	31
PID 2200 wrote to memory of 2716	2200	iexplore.exe	31
PID 2200 wrote to memory of 2716	2200	iexplore.exe	31
PID 2200 wrote to memory of 2520	2200	iexplore.exe	32
PID 2200 wrote to memory of 2520	2200	iexplore.exe	32
PID 2200 wrote to memory of 2520	2200	iexplore.exe	32
PID 2200 wrote to memory of 2520	2200	iexplore.exe	32
PID 2200 wrote to memory of 2520	2200	iexplore.exe	32
PID 2200 wrote to memory of 2520	2200	iexplore.exe	32
PID 2200 wrote to memory of 2520	2200	iexplore.exe	32
PID 2200 wrote to memory of 2492	2200	iexplore.exe	35
PID 2200 wrote to memory of 2492	2200	iexplore.exe	35
PID 2200 wrote to memory of 2492	2200	iexplore.exe	35
PID 2200 wrote to memory of 2492	2200	iexplore.exe	35
PID 2200 wrote to memory of 2492	2200	iexplore.exe	35
PID 2200 wrote to memory of 2492	2200	iexplore.exe	35
PID 2200 wrote to memory of 2492	2200	iexplore.exe	35
PID 2200 wrote to memory of 2412	2200	iexplore.exe	36
PID 2200 wrote to memory of 2412	2200	iexplore.exe	36
PID 2200 wrote to memory of 2412	2200	iexplore.exe	36
PID 2200 wrote to memory of 2412	2200	iexplore.exe	36
PID 2200 wrote to memory of 2412	2200	iexplore.exe	36
PID 2200 wrote to memory of 2412	2200	iexplore.exe	36
PID 2200 wrote to memory of 2412	2200	iexplore.exe	36
PID 2200 wrote to memory of 2556	2200	iexplore.exe	38
PID 2200 wrote to memory of 2556	2200	iexplore.exe	38
PID 2200 wrote to memory of 2556	2200	iexplore.exe	38
PID 2200 wrote to memory of 2556	2200	iexplore.exe	38
PID 2200 wrote to memory of 2556	2200	iexplore.exe	38
PID 2200 wrote to memory of 2556	2200	iexplore.exe	38
PID 2200 wrote to memory of 2556	2200	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc751a15219828b9113b4e65e0c297f8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Program Files (x86)\HQ Codec\register.exe
  register.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\System32\ipconfig.exe" /flushdns
      4⤵
      Gathers network information
      PID:2716
  - - C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\System32\ipconfig.exe" /registerdns
      4⤵
      Gathers network information
      PID:2520
  - - C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\System32\ipconfig.exe" /dnsflush
      4⤵
      Gathers network information
      PID:2492
  - - C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\System32\ipconfig.exe" /renew
      4⤵
      Gathers network information
      PID:2412
  - - C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\System32\ipconfig.exe" /renew_all
      4⤵
      Gathers network information
      PID:2556
- - C:\Windows\SysWOW64\Explorer.exe
    Explorer.exe
    3⤵
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\HQ Codec\register.exe

Filesize
35KB

MD5
1d95755ffcfc57da3b9c32ff5fdb6934

SHA1
c8a33a7b3394c1b4a0ba04d68b07579d711274b3

SHA256
94779bc3bd7e5a2a284a4839bd3b7a18bb59527d88b1d57b0f547eae67360fcc

SHA512
6d17f5a263699b683232f5f6b3c769a88e7c917e55bfbd89d0b847259340ff86d7e0ba36f3dac27c56a01ea4015b80607bc04b22de4b19aa1dde8af895a1324a

Download Submit
memory/2032-3-0x0000000000300000-0x000000000030B000-memory.dmp

Filesize
44KB

Download
memory/2032-11-0x0000000000300000-0x000000000030B000-memory.dmp

Filesize
44KB

Download
memory/2052-16-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2052-17-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/2052-19-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2052-18-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/2052-25-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download