2261f624e99b92e00913fd0fc189ae96bb115b3ae5b393e0170066f032b12af1

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe
Size

1.2MB
MD5

48578ca46a647e621583b8b3da2bbbc4
SHA1

d18da5d905ddc8977a63019df1aa32032c94a946
SHA256

2261f624e99b92e00913fd0fc189ae96bb115b3ae5b393e0170066f032b12af1
SHA512

55da81e0b1002f6678d64989939836606c40da7b65c43be12de41e0b5a365ed73d9b97aa41f94f9deea5d813707353630b7c70740f523af5aa576dd80bdde0ec
SSDEEP

24576:X53uhF8ZcjXB476PaZMr5U3aDAWaPUPTRNTwX6KR8+:X5+hFxPaZSCOtNkq8

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

csrss.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aes.url csrss.com
Executes dropped EXE 2 IoCs

Processes:

csrss.comcsrss.com

pid process

2784 csrss.com
2272 csrss.com
Loads dropped DLL 3 IoCs

Processes:

cmd.execsrss.comcsrss.com

pid process

3040 cmd.exe
2784 csrss.com
2272 csrss.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2828 PING.EXE
2672 PING.EXE
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

csrss.comcsrss.com

pid process

2784 csrss.com
2784 csrss.com
2784 csrss.com
2272 csrss.com
2272 csrss.com
2272 csrss.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

csrss.comcsrss.com

pid process

2784 csrss.com
2784 csrss.com
2784 csrss.com
2272 csrss.com
2272 csrss.com
2272 csrss.com

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aes.url	csrss.com

pid	process
2784	csrss.com
2272	csrss.com

pid	process
3040	cmd.exe
2784	csrss.com
2272	csrss.com

pid	process
2828	PING.EXE
2672	PING.EXE

pid	process
2784	csrss.com
2784	csrss.com
2784	csrss.com
2272	csrss.com
2272	csrss.com
2272	csrss.com

pid	process
2784	csrss.com
2784	csrss.com
2784	csrss.com
2272	csrss.com
2272	csrss.com
2272	csrss.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.execmd.execmd.execsrss.comcsrss.com

description	pid	process	target process
PID 2128 wrote to memory of 2268	2128	48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe	cmd.exe
PID 2128 wrote to memory of 2268	2128	48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe	cmd.exe
PID 2128 wrote to memory of 2268	2128	48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe	cmd.exe
PID 2128 wrote to memory of 2268	2128	48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe	cmd.exe
PID 2128 wrote to memory of 1600	2128	48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe	cmd.exe
PID 2128 wrote to memory of 1600	2128	48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe	cmd.exe
PID 2128 wrote to memory of 1600	2128	48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe	cmd.exe
PID 2128 wrote to memory of 1600	2128	48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe	cmd.exe
PID 1600 wrote to memory of 3040	1600	cmd.exe	cmd.exe
PID 1600 wrote to memory of 3040	1600	cmd.exe	cmd.exe
PID 1600 wrote to memory of 3040	1600	cmd.exe	cmd.exe
PID 1600 wrote to memory of 3040	1600	cmd.exe	cmd.exe
PID 3040 wrote to memory of 2828	3040	cmd.exe	PING.EXE
PID 3040 wrote to memory of 2828	3040	cmd.exe	PING.EXE
PID 3040 wrote to memory of 2828	3040	cmd.exe	PING.EXE
PID 3040 wrote to memory of 2828	3040	cmd.exe	PING.EXE
PID 3040 wrote to memory of 2772	3040	cmd.exe	certutil.exe
PID 3040 wrote to memory of 2772	3040	cmd.exe	certutil.exe
PID 3040 wrote to memory of 2772	3040	cmd.exe	certutil.exe
PID 3040 wrote to memory of 2772	3040	cmd.exe	certutil.exe
PID 3040 wrote to memory of 2784	3040	cmd.exe	csrss.com
PID 3040 wrote to memory of 2784	3040	cmd.exe	csrss.com
PID 3040 wrote to memory of 2784	3040	cmd.exe	csrss.com
PID 3040 wrote to memory of 2784	3040	cmd.exe	csrss.com
PID 3040 wrote to memory of 2672	3040	cmd.exe	PING.EXE
PID 3040 wrote to memory of 2672	3040	cmd.exe	PING.EXE
PID 3040 wrote to memory of 2672	3040	cmd.exe	PING.EXE
PID 3040 wrote to memory of 2672	3040	cmd.exe	PING.EXE
PID 2784 wrote to memory of 2272	2784	csrss.com	csrss.com
PID 2784 wrote to memory of 2272	2784	csrss.com	csrss.com
PID 2784 wrote to memory of 2272	2784	csrss.com	csrss.com
PID 2784 wrote to memory of 2272	2784	csrss.com	csrss.com
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe
PID 2272 wrote to memory of 2652	2272	csrss.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48578ca46a647e621583b8b3da2bbbc4_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo JzHWSBvTS
2⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < oNuxTjCXjWnYpM.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\PING.EXE
ping -n 1 SrHBN.SqZJ
4⤵
- Runs ping.exe
PID:2828

C:\Windows\SysWOW64\certutil.exe
certutil -decode Lhe.com y
4⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
csrss.com y
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com y
5⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
6⤵
PID:2652

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\HSamoVfevY.com

Filesize
921KB

MD5
dab8f26db6e8d76655d96b463513ce6a

SHA1
ea9c3631f94233c06750776cd9bd18e27fbd8677

SHA256
549d70cf61a50e8970e274bf7e76f4c9fab1e185189a8ad074e2a5bdea39005b

SHA512
e406093eb802a5edbdc0e5f0a849d7f58f10dded413db9b6e0a4788125ba73c5b90f5d42a5d98ac68ba2e1fc01879c1403f32cfb3d8e5c26231c58e9751c2093

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\KjEeEFcMnmgksGRLWGE.com

Filesize
288KB

MD5
50e71d12a6308a43ecafdff7c0c288ed

SHA1
ace1d17c0ffacfa236090c947dc641973edb52cf

SHA256
8c518b693e8030f1889578ccf7eaf3387f00ab0d80f08dcd2ce4c7e709cd74a1

SHA512
e9c3cb2cb331ee12baa8efeb80c9d7a24a1b2c350ef1160d5b09c6481a895850e0eb8802692f1ba4a59b3b192354267cd6f0205c7babaf5db089ca3f4408a542

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lhe.com

Filesize
1.3MB

MD5
52eaf780e2565257d38cb1b928fc7bd7

SHA1
d7f7b5180966241b1408d69cb75913b82f9975cc

SHA256
41de5f343229c79727df473de3b8e2fd8cdfcf495df5dbf039930c789f4aa473

SHA512
65a85f84ab0bc6cb5ad593aa7a84472b0f0bb717097daece9fb3845fc87f01f9c0eb9f03ee8f08477c5b2dbb35ce27a376fdc52e1c5f9d3f391bbf9116645459

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\oNuxTjCXjWnYpM.com

Filesize
2KB

MD5
7e79b5745337937bd60e266c1f045229

SHA1
f165e11b04bc713ee702c6052b430af2157d74ec

SHA256
412bed46d2ea8b3aa867940e3feae8889ca0669cd03097f7f83a39823d9a9f3c

SHA512
66aa34a36e6f370018ebf00e4bd948fa19cad1f2fef0a6af6984d8da0ed270cc09b8f1fe3fdb06a7caf6b0302855b508cf35b45c55141eb3c8a7f739b3bd1ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\y

Filesize
934KB

MD5
6598c41a263fcf26913b8e26711c5bc0

SHA1
1505e9b28252c11b99016fb86ac89eb4bb99e382

SHA256
2d4521be86113f3f235149feb339401106524c644a09faed37a1e7bc17cac9c1

SHA512
289d6e7ccfacefdad592faa263980adad656e90368475392b1c9b529104a0d2f74ad875b4913210f000ac3edc77c9701f24b0f23bea9b80376645c8e4d272346

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/2652-31-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-41-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-67-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-66-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-65-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-63-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-61-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-59-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-57-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-55-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-53-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-51-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-49-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-47-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-46-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-44-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-43-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-42-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-40-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-39-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-38-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-37-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-109-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-107-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-36-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-103-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-100-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-97-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-35-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-94-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-91-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-89-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-85-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-83-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-80-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-77-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-34-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-74-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-72-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-70-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-68-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-33-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-64-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-62-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-60-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-58-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-32-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-56-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-54-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-52-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-50-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-48-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-45-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-110-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-106-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-104-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-101-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-98-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-95-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-92-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-88-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-86-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-82-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-79-0x0000000000BA0000-0x0000000001BA0000-memory.dmp

Filesize
16.0MB

Download