13386916b2957099a92fefa8fb8307f39575a78b2a6770f9291dfe9e5033e2e7

Analysis

max time kernel
145s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-05-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe
Size

273KB
MD5

0dad3d73d9e47476bd55e2b1cf104fc7
SHA1

1f5ccb8c2e7dc8d8851cb8bfd5977a0eaf0f6188
SHA256

13386916b2957099a92fefa8fb8307f39575a78b2a6770f9291dfe9e5033e2e7
SHA512

278c07874d73832da135ef3e45ebd35878d3d183d2d226a9cc5ba814c190a91e6ec67dd62accf215dc5c0af9d1671e30d75408602b69ea1028be5aa4e64115ed
SSDEEP

6144:b4qMZvK7bFvMnxQf+2VoxWnGKT1xwTi6Aw66G:n0qBvcqfdVos4TLLTG

Score

8^/10

persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c00000001450b-2.dat	acprotect

Loads dropped DLL 2 IoCs

pid	Process
2440	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe
2604	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2460	sc.exe
2588	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2440	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe
2604	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2968	2440	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe	28
PID 2440 wrote to memory of 2968	2440	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe	28
PID 2440 wrote to memory of 2968	2440	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe	28
PID 2440 wrote to memory of 2968	2440	0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe	28
PID 2968 wrote to memory of 2460	2968	cmd.exe	30
PID 2968 wrote to memory of 2460	2968	cmd.exe	30
PID 2968 wrote to memory of 2460	2968	cmd.exe	30
PID 2968 wrote to memory of 2460	2968	cmd.exe	30
PID 2968 wrote to memory of 2588	2968	cmd.exe	31
PID 2968 wrote to memory of 2588	2968	cmd.exe	31
PID 2968 wrote to memory of 2588	2968	cmd.exe	31
PID 2968 wrote to memory of 2588	2968	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "sc create "0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118" binPath= "C:\Users\Admin\AppData\Local\Temp\0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe" start= auto && sc start "0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\sc.exe
    sc create "0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118" binPath= "C:\Users\Admin\AppData\Local\Temp\0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:2460
- - C:\Windows\SysWOW64\sc.exe
    sc start "0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118"
    3⤵
    - Launches sc.exe
    PID:2588

C:\Users\Admin\AppData\Local\Temp\0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\0dad3d73d9e47476bd55e2b1cf104fc7_JaffaCakes118.exe
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gcl143C.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/2440-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2440-4-0x0000000001B80000-0x0000000001BF3000-memory.dmp

Filesize
460KB

Download
memory/2440-12-0x0000000001B80000-0x0000000001BF3000-memory.dmp

Filesize
460KB

Download
memory/2440-11-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2604-5-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2604-9-0x0000000000420000-0x0000000000493000-memory.dmp

Filesize
460KB

Download
memory/2604-13-0x0000000000420000-0x0000000000493000-memory.dmp

Filesize
460KB

Download
memory/2604-15-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2604-20-0x0000000000420000-0x0000000000493000-memory.dmp

Filesize
460KB

Download