1171b8095d9160253ead55cd794473bd3a7e97b4bf5fab4251a0f14cf8af6beb

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25ced0a9130e667e929bc5a57aa12c2a_JaffaCakes118.exe
Size

258KB
MD5

25ced0a9130e667e929bc5a57aa12c2a
SHA1

8ee0f8900d82440bf64f4b4a87dcd5942ab7e236
SHA256

1171b8095d9160253ead55cd794473bd3a7e97b4bf5fab4251a0f14cf8af6beb
SHA512

261ad70973d58d1cf0d65d729939c21508dee3b5474ce00b76528105db55bc1abc3c0069ca7fe17034ab105797bb4269c7c329ddbc8101feb0e27a2236ca8ecb
SSDEEP

6144:sTKxRVX3qSsKSqg9CRKNpFk2P/ykDg6vkV:s4aSs3q4CRKNpFBO6vkV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2636	Believing Brood.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	25ced0a9130e667e929bc5a57aa12c2a_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	25ced0a9130e667e929bc5a57aa12c2a_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\FineLine.job	25ced0a9130e667e929bc5a57aa12c2a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\25ced0a9130e667e929bc5a57aa12c2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25ced0a9130e667e929bc5a57aa12c2a_JaffaCakes118.exe"
1⤵
- Maps connected drives based on registry
- Drops file in Windows directory
PID:1676

C:\Users\Admin\AppData\Roaming\Believing Brood\Believing Brood.exe
"C:\Users\Admin\AppData\Roaming\Believing Brood\Believing Brood.exe"
1⤵
- Executes dropped EXE
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Believing Brood\Believing Brood.exe

Filesize
64KB

MD5
91e96798fd8b1ac7e2bae814c63be59d

SHA1
2fdcacd20901c42b07b027028755bf3e6174fee9

SHA256
67d42bf3589d3a05cd1097b71aa8c9efaa620fcaea780f740ddd11af63b67ca0

SHA512
5ca044dbdc5df3f3246cf419ff3ae2e49db6e60232e351ff7a69fd0e54519c18ccfc7929bdc0742872f88bb856284790c1b2cbfb6ec61e701c183d396ad7fa92

Download Submit
memory/1676-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1676-1-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1676-4-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1676-3-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1676-2-0x00000000000A0000-0x00000000000C9000-memory.dmp

Filesize
164KB

Download
memory/1676-5-0x00000000001A0000-0x00000000001CF000-memory.dmp

Filesize
188KB

Download
memory/1676-12-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1676-16-0x00000000000A0000-0x00000000000C9000-memory.dmp

Filesize
164KB

Download
memory/1676-9-0x00000000000A0000-0x00000000000C9000-memory.dmp

Filesize
164KB

Download
memory/1676-25-0x00000000000A0000-0x00000000000C9000-memory.dmp

Filesize
164KB

Download
memory/1676-28-0x00000000000A0000-0x00000000000C9000-memory.dmp

Filesize
164KB

Download