Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21/04/2024, 05:42

General

  • Target

    fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe

  • Size

    317KB

  • MD5

    fe914e545e6619379b586976da83ff8c

  • SHA1

    593071e1859d8d3ead7c12618996eddfe4aa763b

  • SHA256

    ee87c0206a3a229a610280d097f30597f79e93d1c74ede9a1b2b86e7afe0a164

  • SHA512

    a6af73bc62daa09921de203a17277e8ffdd9155f3ff575feb09c23fe78e4056540672143979122297d8512a80604b9719da252b58c8a38addf343e1988bf3dc7

  • SSDEEP

    6144:93+W3HxuuQagkTj9hBhf+q/R+eDDyVMKOKhWKO9POgVxiarcEqh9D1m:ceHx19g2jfBNWrVtOIWHPR+Eco

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\ProgramData\mMpKoKn07003\mMpKoKn07003.exe
      "C:\ProgramData\mMpKoKn07003\mMpKoKn07003.exe" "C:\Users\Admin\AppData\Local\Temp\fe914e545e6619379b586976da83ff8c_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \ProgramData\mMpKoKn07003\mMpKoKn07003.exe

    Filesize

    317KB

    MD5

    a9c9a35f1906fbf0ca9f099c89c89c5d

    SHA1

    33e9a159508a34b670730401ca11810d8aa2a8e5

    SHA256

    94dee6e5fe75310ca0ed16123d7847cab5e4b7ffc84a0ccbd60dc30c413d3e7c

    SHA512

    2602b91c7a08fb92b49c4eef6a200aa4101eec3999e62a79f73915583ed967f99b2d908cdfd36357ec83bc433b8e190dfa74da9d32a3b6bb1418017a620747dc

  • memory/2160-1-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

  • memory/2160-0-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

  • memory/2160-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

  • memory/2160-4-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

  • memory/2160-5-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

  • memory/2160-25-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

  • memory/2160-33-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

  • memory/2956-22-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

  • memory/2956-26-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

  • memory/2956-34-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB