050ad995f054220fa8fae03a50c5acfa7973239ba8adac14cc1eb3cbb6273249

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

777b20212eea147f0e22fa507de57c68_JaffaCakes118.exe
Size

341KB
MD5

777b20212eea147f0e22fa507de57c68
SHA1

7dd4e07334dc8c8397abc6804523cf6378c9edc2
SHA256

050ad995f054220fa8fae03a50c5acfa7973239ba8adac14cc1eb3cbb6273249
SHA512

c0f6f22f2aa10e4962ae95460c29d1a86c8083334ddb2f0bae4cf3fcd1cb6656a2a48562dbd8b15d239e50695fac70ca7fb4cf61e0bed4b3c9f6f3ac55347f4b
SSDEEP

6144:L1f3p4J75yfpW1L9yM3pMO6tEjsV+wD8+O7l39SWg:ph4l1L9DSOCuQ+Y3O7R9SWg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2404	Political Clan.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	777b20212eea147f0e22fa507de57c68_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	777b20212eea147f0e22fa507de57c68_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\PlainEvents.job	777b20212eea147f0e22fa507de57c68_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\777b20212eea147f0e22fa507de57c68_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\777b20212eea147f0e22fa507de57c68_JaffaCakes118.exe"
1⤵
- Maps connected drives based on registry
- Drops file in Windows directory
PID:1720

C:\Users\Admin\AppData\Roaming\Political Clan\Political Clan.exe
"C:\Users\Admin\AppData\Roaming\Political Clan\Political Clan.exe"
1⤵
- Executes dropped EXE
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Political Clan\Political Clan.exe

Filesize
64KB

MD5
20fa4a5bcd197eeaed0f76d636325898

SHA1
ce13e3db93a410209a47305ccfe28254cfb5962f

SHA256
40e98694a142ae4c6ae57298d5dcbe8dd54f44b5af028eb855a9116de5df9929

SHA512
d4479bd8b53cb647b23bb9840d13dbed0fe8910ed594c40261b785a6a97383a88d31c3386fe5fcf03afb610559615c8d741c26276c9735ce5565de98815542d9

Download Submit
memory/1720-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1720-1-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1720-2-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1720-3-0x0000000000150000-0x0000000000179000-memory.dmp

Filesize
164KB

Download
memory/1720-4-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1720-9-0x0000000000150000-0x0000000000179000-memory.dmp

Filesize
164KB

Download
memory/1720-5-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1720-18-0x0000000000150000-0x0000000000179000-memory.dmp

Filesize
164KB

Download
memory/1720-14-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/1720-26-0x0000000000150000-0x0000000000179000-memory.dmp

Filesize
164KB

Download
memory/1720-28-0x0000000000150000-0x0000000000179000-memory.dmp

Filesize
164KB

Download