04a5be756e4a354420d36f9a7f07299d79a9c360a2ff0f3c74d73a41bda07798

Analysis

max time kernel
134s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17c5e34f35de7fc18d3eaf8803dd5a04_JaffaCakes118.exe
Size

452KB
MD5

17c5e34f35de7fc18d3eaf8803dd5a04
SHA1

da0d126b5b207b47cd93619994c3f5a67c83f9e3
SHA256

04a5be756e4a354420d36f9a7f07299d79a9c360a2ff0f3c74d73a41bda07798
SHA512

6691ed6d20954e90c28aa61f953a9d03e93294bca872f9faaa848fa6ce45f34cd4f4abcafb7876519e814ec83407816a653d1194493ead7070baf3ace2e2d2ec
SSDEEP

6144:Gl2wg+LeOFRCOGB6B35Cuhcw+P6kAf4rcwR64e774VTGo7d02OVdBTNwIdkXYC:zOFAOGQ55CuhcwA0uvS7sV9d0261jad

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2552	frcpyknrzjcqggh.exe

Loads dropped DLL 5 IoCs

pid	Process
1984	17c5e34f35de7fc18d3eaf8803dd5a04_JaffaCakes118.exe
1984	17c5e34f35de7fc18d3eaf8803dd5a04_JaffaCakes118.exe
1984	17c5e34f35de7fc18d3eaf8803dd5a04_JaffaCakes118.exe
1984	17c5e34f35de7fc18d3eaf8803dd5a04_JaffaCakes118.exe
1984	17c5e34f35de7fc18d3eaf8803dd5a04_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	frcpyknrzjcqggh.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	frcpyknrzjcqggh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2552	frcpyknrzjcqggh.exe
2552	frcpyknrzjcqggh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2552	1984	17c5e34f35de7fc18d3eaf8803dd5a04_JaffaCakes118.exe	28
PID 1984 wrote to memory of 2552	1984	17c5e34f35de7fc18d3eaf8803dd5a04_JaffaCakes118.exe	28
PID 1984 wrote to memory of 2552	1984	17c5e34f35de7fc18d3eaf8803dd5a04_JaffaCakes118.exe	28
PID 1984 wrote to memory of 2552	1984	17c5e34f35de7fc18d3eaf8803dd5a04_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\17c5e34f35de7fc18d3eaf8803dd5a04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17c5e34f35de7fc18d3eaf8803dd5a04_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\frcpyknrzjcqggh.exe
  "C:\Users\Admin\AppData\Local\Temp\frcpyknrzjcqggh.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\parent.txt

Filesize
452KB

MD5
17c5e34f35de7fc18d3eaf8803dd5a04

SHA1
da0d126b5b207b47cd93619994c3f5a67c83f9e3

SHA256
04a5be756e4a354420d36f9a7f07299d79a9c360a2ff0f3c74d73a41bda07798

SHA512
6691ed6d20954e90c28aa61f953a9d03e93294bca872f9faaa848fa6ce45f34cd4f4abcafb7876519e814ec83407816a653d1194493ead7070baf3ace2e2d2ec

Download Submit
\Users\Admin\AppData\Local\Temp\frcpyknrzjcqggh.exe

Filesize
11KB

MD5
cc4084c00d61ed1637dfcfb31ab3bd7a

SHA1
cac8e3b465f8698abc519e874c79aefe6af7ffea

SHA256
5b22b27bb5beed71ba975868a2b4a861dc4d6005cab554e5de84a95532ac1942

SHA512
5b90f351b9a9c2761fd87b765108a8654ba53c6eea94b0665dcd66ef254fcefdd86368dc5a65f410c84212b71ffda4c650bee0da6bcff6733a1fdbf3c144e15c

Download Submit
memory/2552-7-0x00000000009B0000-0x00000000009F4000-memory.dmp

Filesize
272KB

Download
memory/2552-16-0x0000000021230000-0x00000000219D6000-memory.dmp

Filesize
7.6MB

Download