Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/05/2024, 09:45

General

  • Target

    459707024783aa1babe7470fb05b5999_JaffaCakes118.exe

  • Size

    66KB

  • MD5

    459707024783aa1babe7470fb05b5999

  • SHA1

    0769bab8fa5b6d1017e5e6f527580dde18f161a0

  • SHA256

    161dc14ab6022dbb142adeba822af647463c61b56c363c327cff76dd7ea651e3

  • SHA512

    87407059b09a42e1e50c4a202c999ccfe6f195acce39ca41c32db5278574e33f436a30041b9c0b3f43819c281068daa549cea6cf708cd8e77561ff84c0c1771a

  • SSDEEP

    768:N88LGKvH2IsJMrsqxuO5MCoMRGGIxDphmmEmkoNM6ibn2FQix5E+ieZ0QiSAmX:N88zH2IcMQu+CoM88mEmkoNM52FEnta

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops autorun.inf file 1 TTPs 6 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\459707024783aa1babe7470fb05b5999_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\459707024783aa1babe7470fb05b5999_JaffaCakes118.exe"
        2⤵
        • Modifies WinLogon for persistence
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops autorun.inf file
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\Users\Admin\AppData\Local\Temp\ded.exe
          "C:\Users\Admin\AppData\Local\Temp\ded.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Users\Admin\AppData\Local\Temp\ded.exe
            StubPath
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2588

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Autorun.inf

      Filesize

      37B

      MD5

      9254534bfa776fc07b5962a2ad6eb123

      SHA1

      bd53776468e7c6c5b3dfce4085e62e82042342ec

      SHA256

      bd222000d9d14e639a82665badeda11b30cf5e67230f49ae487df4e1e2a9db61

      SHA512

      8738fa9ec843c030d3e9fc1c12ff4fb7490a620679fd7f54b7b7914f7a6c60ebda3c2426d7a4a16c7919f0845e3e09644df1133c7215737e858964ff4a7168dd

    • F:\Diskspace.exe

      Filesize

      66KB

      MD5

      459707024783aa1babe7470fb05b5999

      SHA1

      0769bab8fa5b6d1017e5e6f527580dde18f161a0

      SHA256

      161dc14ab6022dbb142adeba822af647463c61b56c363c327cff76dd7ea651e3

      SHA512

      87407059b09a42e1e50c4a202c999ccfe6f195acce39ca41c32db5278574e33f436a30041b9c0b3f43819c281068daa549cea6cf708cd8e77561ff84c0c1771a

    • \Users\Admin\AppData\Local\Temp\ded.exe

      Filesize

      9KB

      MD5

      c8f55545987f2a2c2b127ae643967803

      SHA1

      42abd6d3cab0dff4037e2ae24ccd69b1a3eed750

      SHA256

      284f3f125ef73f53c2472d1f7261c65b121510dd10ef1d2f601be8c5fea5b184

      SHA512

      eb6e88e913a53482fe997923f99745cf9815f11ef81ad58e6380267fd9bfe9b5774c17a6229f2f44e3fcd195a5b0b37718b0b1dff2862687b241ff843466f83b

    • memory/1200-25-0x0000000002F10000-0x0000000002F11000-memory.dmp

      Filesize

      4KB

    • memory/1968-0-0x0000000003CA0000-0x0000000003CA9000-memory.dmp

      Filesize

      36KB

    • memory/1968-1-0x0000000003CA0000-0x0000000003CA9000-memory.dmp

      Filesize

      36KB

    • memory/2892-24-0x0000000000400000-0x0000000000402400-memory.dmp

      Filesize

      9KB