Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 02:25

General

  • Target

    69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe

  • Size

    661KB

  • MD5

    69715a3737689f3af82dc9fe678daeaa

  • SHA1

    10cec059bb7fc0a6aadf00c7e5c67c642d1115dc

  • SHA256

    5478b2ab4bda3cafc824665cd1a7dafa6d9111aa5728d99b1af1a6012fea68d5

  • SHA512

    752c3cb7802fff37d165251a420d16f9a211e692e04e3c20794e5b2c82619e11ab3f6858642313bb32ae4effd4a7f2ad8f4ca34b298d31fff5dd10b6417f08ca

  • SSDEEP

    12288:faWzgMg7v3qnCiMErQohh0F4CCJ8lnyC8ri6a:CaHMv6CorjqnyC8r2

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Users\Admin\AppData\Local\Temp\69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2300
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\svchost.exe

    Filesize

    661KB

    MD5

    69715a3737689f3af82dc9fe678daeaa

    SHA1

    10cec059bb7fc0a6aadf00c7e5c67c642d1115dc

    SHA256

    5478b2ab4bda3cafc824665cd1a7dafa6d9111aa5728d99b1af1a6012fea68d5

    SHA512

    752c3cb7802fff37d165251a420d16f9a211e692e04e3c20794e5b2c82619e11ab3f6858642313bb32ae4effd4a7f2ad8f4ca34b298d31fff5dd10b6417f08ca

  • memory/1960-3-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

  • memory/1960-5-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1960-1-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1960-7-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1960-27-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2300-28-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/2392-0-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/2788-40-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2788-41-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB