Analysis
-
max time kernel
48s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 17:07
Static task
static1
Behavioral task
behavioral1
Sample
7d57a72404acb4ff61cef47b1962f2e1_JaffaCakes118.rar
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
inv.exe
Resource
win7-20231129-en
General
-
Target
inv.exe
-
Size
961KB
-
MD5
76531d39883b68c043629aa10630d089
-
SHA1
824d18f09010dbaa411dbc6680e7e4bb7d7d646b
-
SHA256
ace8278c3113b551c6f87599c9a7d64724b55293fc64312a8c042585b07f75f8
-
SHA512
7cef89bff08fc07a31c63e20310e9bc75f12c53f4480ba4c9c9fb218af2e86e5881683c45696b3afab7c91223b45622b953c547a1eccbbf04b00756cdc29a9c1
-
SSDEEP
24576:bxLgu0WUD1HOYMXj/V0fX38g1yGQoxqW2T:bF5W1HOYGVqf17QoxW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2712 app.exe -
Loads dropped DLL 1 IoCs
pid Process 2456 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2368 inv.exe Token: 33 2368 inv.exe Token: SeIncBasePriorityPrivilege 2368 inv.exe Token: SeDebugPrivilege 2712 app.exe Token: 33 2712 app.exe Token: SeIncBasePriorityPrivilege 2712 app.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2580 2368 inv.exe 28 PID 2368 wrote to memory of 2580 2368 inv.exe 28 PID 2368 wrote to memory of 2580 2368 inv.exe 28 PID 2368 wrote to memory of 2580 2368 inv.exe 28 PID 2368 wrote to memory of 2456 2368 inv.exe 30 PID 2368 wrote to memory of 2456 2368 inv.exe 30 PID 2368 wrote to memory of 2456 2368 inv.exe 30 PID 2368 wrote to memory of 2456 2368 inv.exe 30 PID 2456 wrote to memory of 2712 2456 cmd.exe 32 PID 2456 wrote to memory of 2712 2456 cmd.exe 32 PID 2456 wrote to memory of 2712 2456 cmd.exe 32 PID 2456 wrote to memory of 2712 2456 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\inv.exe"C:\Users\Admin\AppData\Local\Temp\inv.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\inv.exe" "C:\Users\Admin\Videos\app.exe"2⤵PID:2580
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Videos\app.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\Videos\app.exe"C:\Users\Admin\Videos\app.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
961KB
MD576531d39883b68c043629aa10630d089
SHA1824d18f09010dbaa411dbc6680e7e4bb7d7d646b
SHA256ace8278c3113b551c6f87599c9a7d64724b55293fc64312a8c042585b07f75f8
SHA5127cef89bff08fc07a31c63e20310e9bc75f12c53f4480ba4c9c9fb218af2e86e5881683c45696b3afab7c91223b45622b953c547a1eccbbf04b00756cdc29a9c1