Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
21-04-2024 15:39
General
-
Target
ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe
-
Size
227KB
-
MD5
ff9c2ce33fce1585aa1ff20145555761
-
SHA1
0a69962fd393fb450a81b557af000bcc9d8b1e25
-
SHA256
8c9f417cc07060056a707d847258a7a6a98e0ef6a16cb1243222c235d79c86bf
-
SHA512
7572f57ee2ed16996df52c8c70d7e01cfdac1cca15e86334a7f78d370fc6fb5ac3efca4e082e82a5073fcbd4acf116d0e619a3a3d090129e5eeee328ddd0338a
-
SSDEEP
6144:qoEdkmu85Dq+3qM3W7tfQN5/inEaMadDKNa1aILk71:gkmDN6M3atfQunka1KNaTgJ
Score
10/10
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 15 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Modifies security service 2 TTPs 20 IoCs
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 20 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 11 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 32 IoCs
-
Runs .reg file with regedit 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cPaner.comC:\Windows\system32\cPaner.com 488 "C:\Users\Admin\AppData\Local\Temp\ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cPaner.comC:\Windows\system32\cPaner.com 548 "C:\Windows\SysWOW64\cPaner.com"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cPaner.comC:\Windows\system32\cPaner.com 560 "C:\Windows\SysWOW64\cPaner.com"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cPaner.comC:\Windows\system32\cPaner.com 564 "C:\Windows\SysWOW64\cPaner.com"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cPaner.comC:\Windows\system32\cPaner.com 568 "C:\Windows\SysWOW64\cPaner.com"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cPaner.comC:\Windows\system32\cPaner.com 576 "C:\Windows\SysWOW64\cPaner.com"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat8⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cPaner.comC:\Windows\system32\cPaner.com 572 "C:\Windows\SysWOW64\cPaner.com"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat9⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cPaner.comC:\Windows\system32\cPaner.com 580 "C:\Windows\SysWOW64\cPaner.com"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat10⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cPaner.comC:\Windows\system32\cPaner.com 584 "C:\Windows\SysWOW64\cPaner.com"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat11⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cPaner.comC:\Windows\system32\cPaner.com 588 "C:\Windows\SysWOW64\cPaner.com"11⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat12⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- Runs .reg file with regedit
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
476B
MD5a5d4cddfecf34e5391a7a3df62312327
SHA104a3c708bab0c15b6746cf9dbf41a71c917a98b9
SHA2568961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a
SHA51248024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
C:\acx.batFilesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
\Windows\SysWOW64\cPaner.comFilesize
227KB
MD5ff9c2ce33fce1585aa1ff20145555761
SHA10a69962fd393fb450a81b557af000bcc9d8b1e25
SHA2568c9f417cc07060056a707d847258a7a6a98e0ef6a16cb1243222c235d79c86bf
SHA5127572f57ee2ed16996df52c8c70d7e01cfdac1cca15e86334a7f78d370fc6fb5ac3efca4e082e82a5073fcbd4acf116d0e619a3a3d090129e5eeee328ddd0338a
-
memory/892-1466-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/892-1323-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/1040-821-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/1604-219-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/1604-342-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/1724-462-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/1928-1023-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/1940-702-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/2320-151-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/2320-167-0x0000000002970000-0x0000000002971000-memory.dmpFilesize
4KB
-
memory/2320-5-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2320-4-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2320-19-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/2320-2-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/2320-20-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/2320-22-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/2320-23-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB
-
memory/2320-26-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/2320-24-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB
-
memory/2320-27-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/2320-28-0x0000000000770000-0x0000000000771000-memory.dmpFilesize
4KB
-
memory/2320-29-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/2320-33-0x0000000000790000-0x0000000000791000-memory.dmpFilesize
4KB
-
memory/2320-34-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/2320-49-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/2320-35-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/2320-140-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/2320-50-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/2320-141-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/2320-142-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/2320-150-0x00000000024C0000-0x00000000024C1000-memory.dmpFilesize
4KB
-
memory/2320-149-0x00000000024D0000-0x00000000024D1000-memory.dmpFilesize
4KB
-
memory/2320-154-0x0000000002500000-0x0000000002501000-memory.dmpFilesize
4KB
-
memory/2320-153-0x0000000002520000-0x0000000002521000-memory.dmpFilesize
4KB
-
memory/2320-155-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/2320-152-0x00000000024E0000-0x00000000024E1000-memory.dmpFilesize
4KB
-
memory/2320-7-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2320-148-0x00000000024A0000-0x00000000024A1000-memory.dmpFilesize
4KB
-
memory/2320-147-0x00000000024B0000-0x00000000024B1000-memory.dmpFilesize
4KB
-
memory/2320-146-0x0000000002480000-0x0000000002481000-memory.dmpFilesize
4KB
-
memory/2320-145-0x0000000002490000-0x0000000002491000-memory.dmpFilesize
4KB
-
memory/2320-144-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB
-
memory/2320-143-0x0000000002470000-0x0000000002471000-memory.dmpFilesize
4KB
-
memory/2320-6-0x0000000000490000-0x0000000000494000-memory.dmpFilesize
16KB
-
memory/2320-168-0x0000000002960000-0x0000000002961000-memory.dmpFilesize
4KB
-
memory/2320-170-0x00000000029C0000-0x00000000029C1000-memory.dmpFilesize
4KB
-
memory/2320-171-0x00000000029F0000-0x00000000029F1000-memory.dmpFilesize
4KB
-
memory/2320-169-0x00000000029D0000-0x00000000029D1000-memory.dmpFilesize
4KB
-
memory/2320-172-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB
-
memory/2320-173-0x0000000002A10000-0x0000000002A11000-memory.dmpFilesize
4KB
-
memory/2320-175-0x0000000002A30000-0x0000000002A31000-memory.dmpFilesize
4KB
-
memory/2320-174-0x0000000002A00000-0x0000000002A01000-memory.dmpFilesize
4KB
-
memory/2320-176-0x0000000002A20000-0x0000000002A21000-memory.dmpFilesize
4KB
-
memory/2320-177-0x0000000002BE0000-0x0000000002BE1000-memory.dmpFilesize
4KB
-
memory/2320-178-0x0000000002BD0000-0x0000000002BD1000-memory.dmpFilesize
4KB
-
memory/2320-179-0x0000000002C00000-0x0000000002C01000-memory.dmpFilesize
4KB
-
memory/2320-180-0x0000000002BF0000-0x0000000002BF1000-memory.dmpFilesize
4KB
-
memory/2320-182-0x0000000002C10000-0x0000000002C11000-memory.dmpFilesize
4KB
-
memory/2320-181-0x0000000002C20000-0x0000000002C21000-memory.dmpFilesize
4KB
-
memory/2320-184-0x0000000002C30000-0x0000000002C31000-memory.dmpFilesize
4KB
-
memory/2320-183-0x0000000002C40000-0x0000000002C41000-memory.dmpFilesize
4KB
-
memory/2320-186-0x0000000002C50000-0x0000000002C51000-memory.dmpFilesize
4KB
-
memory/2320-185-0x0000000002DA0000-0x0000000002DA1000-memory.dmpFilesize
4KB
-
memory/2320-188-0x0000000002DB0000-0x0000000002DB1000-memory.dmpFilesize
4KB
-
memory/2320-187-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/2320-18-0x00000000004F0000-0x00000000004F1000-memory.dmpFilesize
4KB
-
memory/2320-17-0x00000000004B0000-0x00000000004B1000-memory.dmpFilesize
4KB
-
memory/2320-192-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/2320-1-0x0000000000300000-0x0000000000344000-memory.dmpFilesize
272KB
-
memory/2320-16-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2320-15-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/2320-0-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/2320-14-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB
-
memory/2388-1472-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/2664-1017-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/2664-874-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/2732-1170-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/2732-1307-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB
-
memory/2880-582-0x0000000000400000-0x000000000048A000-memory.dmpFilesize
552KB