243df039bef9c3f54b133d9e5d46d65da3a87ac429476e8230876ba6f75d86f4

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe
Size

1.1MB
MD5

30bd2c613fb99585298cad8fd5a0e361
SHA1

d29e3be484bdf6e91e7ad34367fbf7a1db2d623b
SHA256

243df039bef9c3f54b133d9e5d46d65da3a87ac429476e8230876ba6f75d86f4
SHA512

4ebec56d722f34071a1bffdebaa562ba04a3c1e2701ee4bc7620deb666f08716eae3af136e7157c9419d11b3fcc57833a891356a8b8f8a8a5264591f30c625dd
SSDEEP

24576:UY2pSjUmFiCbp1RD1zE8auFv6hpP0I289DlZIKxy:yzmFiC3RRzPaw82qaK4

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2056	netsh.exe
2328	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2928	2128	WerFault.exe	27

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2128	30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe
2128	30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2328	2128	30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe	28
PID 2128 wrote to memory of 2328	2128	30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe	28
PID 2128 wrote to memory of 2328	2128	30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe	28
PID 2128 wrote to memory of 2328	2128	30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe	28
PID 2128 wrote to memory of 2056	2128	30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe	29
PID 2128 wrote to memory of 2056	2128	30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe	29
PID 2128 wrote to memory of 2056	2128	30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe	29
PID 2128 wrote to memory of 2056	2128	30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe	29
PID 2128 wrote to memory of 2928	2128	30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe	33
PID 2128 wrote to memory of 2928	2128	30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe	33
PID 2128 wrote to memory of 2928	2128	30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe	33
PID 2128 wrote to memory of 2928	2128	30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe" "30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2328
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe" dir=in program="C:\Users\Admin\AppData\Local\Temp\30bd2c613fb99585298cad8fd5a0e361_JaffaCakes118.exe" action=allow
  2⤵
  - Modifies Windows Firewall
  PID:2056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1048
  2⤵
  - Program crash
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads