0e3418bcbeb7b18e25a5a0733cab85dbfbf9019bae3394112e41051a192f2b13

Analysis

max time kernel
145s
max time network
126s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe
Size

2.3MB
MD5

3d677c956bc9a9ede80e38134af20a5c
SHA1

3cc9ba461899bb8999fb1c5d81ef2eca1fe86959
SHA256

0e3418bcbeb7b18e25a5a0733cab85dbfbf9019bae3394112e41051a192f2b13
SHA512

e3612be1357832eb161e385e68e244cc11d664bac880ad026271a774436a55f8d30361c7204297d3bf487a0c96b84ab239ea9f2dfe45254bf5cf8f9ee40dea08
SSDEEP

49152:v3P2Qlh/HpHzjQi4lSovRkpk3Im4zMoYeOLM9LyaBr1ccP7rENxefMN:v/3lhpTgFGpMImmYK9zKAc0MN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2496	1B0F.tmp
2596	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe
2496	1B0F.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Sidebar_Admin.job	1B0F.tmp
File created	C:\Windows\Tasks\Sidebar.job	1B0F.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2496	1B0F.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2596	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe
2596	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe
2596	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe
2596	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2496	2328	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe	28
PID 2328 wrote to memory of 2496	2328	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe	28
PID 2328 wrote to memory of 2496	2328	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe	28
PID 2328 wrote to memory of 2496	2328	3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe	28
PID 2496 wrote to memory of 2596	2496	1B0F.tmp	29
PID 2496 wrote to memory of 2596	2496	1B0F.tmp	29
PID 2496 wrote to memory of 2596	2496	1B0F.tmp	29
PID 2496 wrote to memory of 2596	2496	1B0F.tmp	29

C:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\1B0F.tmp
  "C:\Users\Admin\AppData\Local\Temp\1B0F.tmp" --pingC:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe B531C453AFFD0FA07227ABEA7A29383010C60B3A08CBF3E7FA994B1965F115B5E70F0361DF08D9349C5E7ED6E3DB4323EE43E6775034313C797BFCF490291D44
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1B0F.tmp

Filesize
2.3MB

MD5
71ecb7fdf47b0f601fdbdf29f58a825d

SHA1
d0e652ee65648c0443c6f3b46fc2673476449aeb

SHA256
c6d052f200d4af76fc19078b2f5beb26effcd0ade97cc539ca861094b513daf8

SHA512
05c6a1d72922e0d83a35faa1d5bcbc0c0f61e8d62b0a8f937327262cbd32418b451a94205c6cd278480ec43bdef1bdcfd3bedb0ed7328e6a78881c8e7ed505db

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d677c956bc9a9ede80e38134af20a5c_JaffaCakes118.exe

Filesize
1.1MB

MD5
cd75d3e263ff0d1d13aad24cdb9f2593

SHA1
cbcf46c2524176ce03cbfdb69017788282e495a5

SHA256
ccac4ef83f1484c207be895e40037f23138d911c1ec537ffd6577ef789c974c4

SHA512
16c489e2a2337bb7d23b5d6507d769a62d2c4ffd6b30c237752ab38c935eb92dcf74c75b972279f95617d82de69f25c53db819ddc1e543e35d89ad0956c3df87

Download Submit
memory/2496-12-0x0000000003250000-0x0000000003663000-memory.dmp

Filesize
4.1MB

Download
memory/2596-14-0x0000000000C10000-0x0000000001023000-memory.dmp

Filesize
4.1MB

Download
memory/2596-17-0x0000000000110000-0x0000000000113000-memory.dmp

Filesize
12KB

Download
memory/2596-77-0x0000000000C10000-0x0000000001023000-memory.dmp

Filesize
4.1MB

Download
memory/2596-79-0x0000000000110000-0x0000000000113000-memory.dmp

Filesize
12KB

Download
memory/2596-91-0x0000000000C10000-0x0000000001023000-memory.dmp

Filesize
4.1MB

Download