59f307a133ee6b237a588352415eb6998b0fe8f1583ed2f5673082a7c603e70d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

595813dc8d5df5b9aa2707b1ec894eee_JaffaCakes118.exe
Size

94KB
MD5

595813dc8d5df5b9aa2707b1ec894eee
SHA1

0e7d6bd4fa80efb5dbe9e8ad34eac6e7d5ed5c5e
SHA256

59f307a133ee6b237a588352415eb6998b0fe8f1583ed2f5673082a7c603e70d
SHA512

fa7bee07cb11bf5050db86f218426ad9a4582b602fff50647634174b23303f048cefbeaecf1422b5c43e7aa683e7a9e11c82e6fac613df2bde7344c624f42d4c
SSDEEP

1536:tF0AJELoJHG9qa+oa33KJJzAKWYr0v7iJSzIRXKTzRZICrWaGZh70:tiAyLN9qa+oEGrWViJSzIR6JJrWNZm

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2136	WwanSvc.exe

Loads dropped DLL 1 IoCs

pid	Process
2836	595813dc8d5df5b9aa2707b1ec894eee_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run"	595813dc8d5df5b9aa2707b1ec894eee_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2136	2836	595813dc8d5df5b9aa2707b1ec894eee_JaffaCakes118.exe	28
PID 2836 wrote to memory of 2136	2836	595813dc8d5df5b9aa2707b1ec894eee_JaffaCakes118.exe	28
PID 2836 wrote to memory of 2136	2836	595813dc8d5df5b9aa2707b1ec894eee_JaffaCakes118.exe	28
PID 2836 wrote to memory of 2136	2836	595813dc8d5df5b9aa2707b1ec894eee_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\595813dc8d5df5b9aa2707b1ec894eee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\595813dc8d5df5b9aa2707b1ec894eee_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2836
- C:\ProgramData\Update\WwanSvc.exe
  "C:\ProgramData\Update\WwanSvc.exe" /run
  2⤵
  - Executes dropped EXE
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Update\WwanSvc.exe

Filesize
94KB

MD5
70ef0893805c34328760c45b0c9f9586

SHA1
358b620150a96ee620d26802267e8de43d754460

SHA256
24c0146c31bfe7edf8239b9d03bc4a1fd405d8e3fc5ffd47f8a3c2791c12ab9d

SHA512
b343f837bf70ea494d860184818ef56319279c732d9b413fe957a234f67b0af419584935d95404716dc6b4d5f72b640d5070519d4ab1919e09f931f318ab3754

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads