161dc14ab6022dbb142adeba822af647463c61b56c363c327cff76dd7ea651e3

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

459707024783aa1babe7470fb05b5999_JaffaCakes118.exe
Size

66KB
MD5

459707024783aa1babe7470fb05b5999
SHA1

0769bab8fa5b6d1017e5e6f527580dde18f161a0
SHA256

161dc14ab6022dbb142adeba822af647463c61b56c363c327cff76dd7ea651e3
SHA512

87407059b09a42e1e50c4a202c999ccfe6f195acce39ca41c32db5278574e33f436a30041b9c0b3f43819c281068daa549cea6cf708cd8e77561ff84c0c1771a
SSDEEP

768:N88LGKvH2IsJMrsqxuO5MCoMRGGIxDphmmEmkoNM6ibn2FQix5E+ieZ0QiSAmX:N88zH2IcMQu+CoM88mEmkoNM52FEnta

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Diskrun.exe\""	459707024783aa1babe7470fb05b5999_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Diskrun.exe\""	459707024783aa1babe7470fb05b5999_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2892	ded.exe
2588	ded.exe

Loads dropped DLL 3 IoCs

pid	Process
1968	459707024783aa1babe7470fb05b5999_JaffaCakes118.exe
1968	459707024783aa1babe7470fb05b5999_JaffaCakes118.exe
2892	ded.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Diskrun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Diskrun.exe\""	459707024783aa1babe7470fb05b5999_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\Autorun.inf	459707024783aa1babe7470fb05b5999_JaffaCakes118.exe
File opened for modification	F:\Autorun.inf	459707024783aa1babe7470fb05b5999_JaffaCakes118.exe
File created	C:\Autorun.inf	459707024783aa1babe7470fb05b5999_JaffaCakes118.exe
File opened for modification	C:\Autorun.inf	459707024783aa1babe7470fb05b5999_JaffaCakes118.exe
File created	D:\Autorun.inf	459707024783aa1babe7470fb05b5999_JaffaCakes118.exe
File opened for modification	D:\Autorun.inf	459707024783aa1babe7470fb05b5999_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe
2588	ded.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2892	1968	459707024783aa1babe7470fb05b5999_JaffaCakes118.exe	28
PID 1968 wrote to memory of 2892	1968	459707024783aa1babe7470fb05b5999_JaffaCakes118.exe	28
PID 1968 wrote to memory of 2892	1968	459707024783aa1babe7470fb05b5999_JaffaCakes118.exe	28
PID 1968 wrote to memory of 2892	1968	459707024783aa1babe7470fb05b5999_JaffaCakes118.exe	28
PID 2892 wrote to memory of 2588	2892	ded.exe	29
PID 2892 wrote to memory of 2588	2892	ded.exe	29
PID 2892 wrote to memory of 2588	2892	ded.exe	29
PID 2892 wrote to memory of 2588	2892	ded.exe	29
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21
PID 2588 wrote to memory of 1200	2588	ded.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\459707024783aa1babe7470fb05b5999_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\459707024783aa1babe7470fb05b5999_JaffaCakes118.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops autorun.inf file
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\ded.exe
    "C:\Users\Admin\AppData\Local\Temp\ded.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\ded.exe
      StubPath
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Autorun.inf

Filesize
37B

MD5
9254534bfa776fc07b5962a2ad6eb123

SHA1
bd53776468e7c6c5b3dfce4085e62e82042342ec

SHA256
bd222000d9d14e639a82665badeda11b30cf5e67230f49ae487df4e1e2a9db61

SHA512
8738fa9ec843c030d3e9fc1c12ff4fb7490a620679fd7f54b7b7914f7a6c60ebda3c2426d7a4a16c7919f0845e3e09644df1133c7215737e858964ff4a7168dd

Download Submit
F:\Diskspace.exe

Filesize
66KB

MD5
459707024783aa1babe7470fb05b5999

SHA1
0769bab8fa5b6d1017e5e6f527580dde18f161a0

SHA256
161dc14ab6022dbb142adeba822af647463c61b56c363c327cff76dd7ea651e3

SHA512
87407059b09a42e1e50c4a202c999ccfe6f195acce39ca41c32db5278574e33f436a30041b9c0b3f43819c281068daa549cea6cf708cd8e77561ff84c0c1771a

Download Submit
\Users\Admin\AppData\Local\Temp\ded.exe

Filesize
9KB

MD5
c8f55545987f2a2c2b127ae643967803

SHA1
42abd6d3cab0dff4037e2ae24ccd69b1a3eed750

SHA256
284f3f125ef73f53c2472d1f7261c65b121510dd10ef1d2f601be8c5fea5b184

SHA512
eb6e88e913a53482fe997923f99745cf9815f11ef81ad58e6380267fd9bfe9b5774c17a6229f2f44e3fcd195a5b0b37718b0b1dff2862687b241ff843466f83b

Download Submit
memory/1200-25-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/1968-0-0x0000000003CA0000-0x0000000003CA9000-memory.dmp

Filesize
36KB

Download
memory/1968-1-0x0000000003CA0000-0x0000000003CA9000-memory.dmp

Filesize
36KB

Download
memory/2892-24-0x0000000000400000-0x0000000000402400-memory.dmp

Filesize
9KB

Download