9b15dc59f3834f09e425cf568dd0b4c15fda0f6c622660f2867f46d0a68ed314

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 04:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe
Size

317KB
MD5

5d1c08240c594cb1763c36c7713e3124
SHA1

a73eb2756bd96a6640fa3a53eefcb5863939a59a
SHA256

9b15dc59f3834f09e425cf568dd0b4c15fda0f6c622660f2867f46d0a68ed314
SHA512

75d77a4a6aca400c667250a5ca039e92dd208a992c8e3991eb26f74ffaf639b374036e7f0153c5be4be71d5f5d73ce9420b1931de8f81201142fc8a4bcf233d2
SSDEEP

6144:phy579BvPxiiLbii5bkgVuN+xSKV7Wkrsf7LsmBE7dVe2dKSveo0A0Zw:/y579pJvXikbkgaISKVGMCkKSveVL6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2596	269C178D-B4A4-4B8F-8864-13AC7458B2AE.exe

Loads dropped DLL 6 IoCs

pid	Process
2868	5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe
2868	5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe
2868	5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe
2868	5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe
2868	5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe
2868	5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2596	2868	5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2596	2868	5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2596	2868	5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2596	2868	5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2600	2868	5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2600	2868	5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2600	2868	5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2600	2868	5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d1c08240c594cb1763c36c7713e3124_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\e916dd12-b497-4d00-92ae-ca7de942e386\269C178D-B4A4-4B8F-8864-13AC7458B2AE.exe
  "C:\Users\Admin\AppData\Local\Temp\e916dd12-b497-4d00-92ae-ca7de942e386\269C178D-B4A4-4B8F-8864-13AC7458B2AE.exe" -y -p356A86FE-785D-44A6-9357-FF88ACA6F007
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Local\Temp\e916dd12-b497-4d00-92ae-ca7de942e386\start.hta
  2⤵
  - Modifies Internet Explorer settings
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e916dd12-b497-4d00-92ae-ca7de942e386\loader.gif

Filesize
1KB

MD5
e88ebd85dd56110ac6ea93fe0922988e

SHA1
684a31d864d33ff736234c41ac4e8d2c7f90d5ae

SHA256
379d1b0948f8e06366e7bcd197c848c0cc783787792f2224f98c16b974d920eb

SHA512
211b0760c9a887fc13c479617daeb6d5b6ee0ccd06c214967abd3e1f14204f72e34a6dd5eb778a9fc6ac7fc8bd63bdef80b347abab97becda16924cb3e164dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e916dd12-b497-4d00-92ae-ca7de942e386\start.hta

Filesize
1KB

MD5
9bbdda852677117290a7a3f130638079

SHA1
48390e93abf77599ae64023160cb8ae143189777

SHA256
6e8fcc04c8bf6e07448f7bd47cb304f374873045355b66e160db965ca9685f34

SHA512
1d94b9074ac16cc84b76209a258313282437019838c6b759f8e1c9a665ea104b1e5d197c42b5896b4d89fe7087501017d13a5912272084592c5a218dc635aaa9

Download Submit
\Users\Admin\AppData\Local\Temp\e916dd12-b497-4d00-92ae-ca7de942e386\269C178D-B4A4-4B8F-8864-13AC7458B2AE.exe

Filesize
204KB

MD5
5607bf5b6cff2be62fb3b4635a7c4769

SHA1
00f5b363c782c890ef82ac96a571dd21c66fb113

SHA256
7ee0eabb05b0d5497bd922c12b7213a4bdf81ea2585a5d4d5154cf0b9714b708

SHA512
2900f52b029ca72387d92bc796eb1da5e33152e1cfd6a5355d68a751c6b56aee01c51144e20e28e98d5dfde6c9eab9d1e850133eef28954ccf51889a19e72d24

Download Submit
\Users\Admin\AppData\Local\Temp\e916dd12-b497-4d00-92ae-ca7de942e386\InstallerHelper.dll

Filesize
122KB

MD5
1363df69aa27893247a6559f7f3ff875

SHA1
eb0bf5b98ee5a14192678171a61ca7ac0705e198

SHA256
6e453c5bf579dd4a1f832e091b243d7666f93b04b81c4de1e61f73b2c4b2bbcd

SHA512
aa3e7f007fa3f28ddc052dd8a2df4369cd4cad19e2ec66129ea1d81a354bc361661c0bd47115a242bef8ccfbc65e74477334e293bf120c85f7d9e31f1b75ebc2

Download Submit