34a1e46a598571d1b39c9153ad122fe5287f7360655742e8f5731e96dd22d852

Analysis

max time kernel
133s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68bf82acbe96ec09403a2451cfba743c_JaffaCakes118.exe
Size

460KB
MD5

68bf82acbe96ec09403a2451cfba743c
SHA1

0f3ab32f41d75c5206bd926e35ef63657d771416
SHA256

34a1e46a598571d1b39c9153ad122fe5287f7360655742e8f5731e96dd22d852
SHA512

41bd3f871dbc65b45f531affb0de7ee53ba3afbed720b367eb28cb12e5836db620cd2652e21b2eb7ceb7b6bdbcf81ae23714b1ac73b391e39566328a440c7916
SSDEEP

6144:Me1x8OvFt/056aMOQWmqjKYZaHZacAoIDpTuxX+kyaclsmO1oBdjkU+TEH0afBtI:tv/i6jOQlqLZa5VAAslsmOGZ9C

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

mcsmvzpebpmhc.exe

pid process

2320 mcsmvzpebpmhc.exe
Loads dropped DLL 2 IoCs

Processes:

68bf82acbe96ec09403a2451cfba743c_JaffaCakes118.exe

pid process

2112 68bf82acbe96ec09403a2451cfba743c_JaffaCakes118.exe
2112 68bf82acbe96ec09403a2451cfba743c_JaffaCakes118.exe

pid	process
2320	mcsmvzpebpmhc.exe

pid	process
2112	68bf82acbe96ec09403a2451cfba743c_JaffaCakes118.exe
2112	68bf82acbe96ec09403a2451cfba743c_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mcsmvzpebpmhc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	mcsmvzpebpmhc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

mcsmvzpebpmhc.exe

description pid process

Token: SeDebugPrivilege 2320 mcsmvzpebpmhc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mcsmvzpebpmhc.exe

pid process

2320 mcsmvzpebpmhc.exe
2320 mcsmvzpebpmhc.exe

description	pid	process
Token: SeDebugPrivilege	2320	mcsmvzpebpmhc.exe

pid	process
2320	mcsmvzpebpmhc.exe
2320	mcsmvzpebpmhc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

68bf82acbe96ec09403a2451cfba743c_JaffaCakes118.exe

description	pid	process	target process
PID 2112 wrote to memory of 2320	2112	68bf82acbe96ec09403a2451cfba743c_JaffaCakes118.exe	mcsmvzpebpmhc.exe
PID 2112 wrote to memory of 2320	2112	68bf82acbe96ec09403a2451cfba743c_JaffaCakes118.exe	mcsmvzpebpmhc.exe
PID 2112 wrote to memory of 2320	2112	68bf82acbe96ec09403a2451cfba743c_JaffaCakes118.exe	mcsmvzpebpmhc.exe
PID 2112 wrote to memory of 2320	2112	68bf82acbe96ec09403a2451cfba743c_JaffaCakes118.exe	mcsmvzpebpmhc.exe

C:\Users\Admin\AppData\Local\Temp\68bf82acbe96ec09403a2451cfba743c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68bf82acbe96ec09403a2451cfba743c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\xytfhewdfokl\mcsmvzpebpmhc.exe
  "C:\Users\Admin\AppData\Local\Temp\xytfhewdfokl\mcsmvzpebpmhc.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xytfhewdfokl\parent.txt

Filesize
460KB

MD5
68bf82acbe96ec09403a2451cfba743c

SHA1
0f3ab32f41d75c5206bd926e35ef63657d771416

SHA256
34a1e46a598571d1b39c9153ad122fe5287f7360655742e8f5731e96dd22d852

SHA512
41bd3f871dbc65b45f531affb0de7ee53ba3afbed720b367eb28cb12e5836db620cd2652e21b2eb7ceb7b6bdbcf81ae23714b1ac73b391e39566328a440c7916

Download Submit
\Users\Admin\AppData\Local\Temp\xytfhewdfokl\mcsmvzpebpmhc.exe

Filesize
7KB

MD5
47c835c22089e8995742f10696dad5e8

SHA1
f9921459382827b140098c000500f6f8b85c826d

SHA256
f551a071a9f277545deec029df075e90c622dbe33dd55c2f2c274173677058ea

SHA512
2bb6be1ef168f2e71697195b540c26e632a65d4c3d84676746fcc8dcaca3ac3714d949ecc71c5e73bd1444c5e23267d3a5be18b5183f7e93ea00d90affd4e07b

Download Submit
memory/2320-14-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-11-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-12-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-13-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-10-0x0000000000E80000-0x0000000000EC4000-memory.dmp

Filesize
272KB

Download
memory/2320-15-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-8-0x000007FEF5CEE000-0x000007FEF5CEF000-memory.dmp

Filesize
4KB

Download
memory/2320-22-0x0000000021090000-0x0000000021836000-memory.dmp

Filesize
7.6MB

Download
memory/2320-27-0x000007FEF5CEE000-0x000007FEF5CEF000-memory.dmp

Filesize
4KB

Download
memory/2320-28-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-29-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download
memory/2320-30-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

Filesize
9.6MB

Download