Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
01-06-2024 05:44
General
-
Target
898446324be148af2b7f41028ed4477a_JaffaCakes118.exe
-
Size
562KB
-
MD5
898446324be148af2b7f41028ed4477a
-
SHA1
ff78713a43af6b335d3f3470b5d38ffdd96d38bc
-
SHA256
d15805c32b413040e8a0fb740465acf7d85efbe741e1689a9a82c5e1e601def0
-
SHA512
cde3bc6dd175daa853d1c18e365df6c28b737cff5d671a6c5eba6dce12b893cb8ad8e29c1f5eea496e2f338f270bd3d6305bef2802c41ec2d78017dbc9c59aaa
-
SSDEEP
12288:ot0V2auKKQ1ZQ3uiBb2IFis1CwI5DEpU7R:SwYPQMeicZ
Malware Config
Signatures
-
Drops startup file 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\898446324be148af2b7f41028ed4477a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\898446324be148af2b7f41028ed4477a_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\898446324be148af2b7f41028ed4477a_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\walmart.exe"2⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\walmart.exe"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\walmart.exe"C:\Users\Admin\AppData\Local\walmart.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\walmart.exe"C:\Users\Admin\AppData\Local\walmart.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\walmart.exe"C:\Users\Admin\AppData\Local\walmart.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\walmart.exeFilesize
562KB
MD5898446324be148af2b7f41028ed4477a
SHA1ff78713a43af6b335d3f3470b5d38ffdd96d38bc
SHA256d15805c32b413040e8a0fb740465acf7d85efbe741e1689a9a82c5e1e601def0
SHA512cde3bc6dd175daa853d1c18e365df6c28b737cff5d671a6c5eba6dce12b893cb8ad8e29c1f5eea496e2f338f270bd3d6305bef2802c41ec2d78017dbc9c59aaa
-
memory/2372-0-0x000000007427E000-0x000000007427F000-memory.dmpFilesize
4KB
-
memory/2372-1-0x00000000003E0000-0x0000000000470000-memory.dmpFilesize
576KB
-
memory/2372-2-0x0000000000290000-0x00000000002B0000-memory.dmpFilesize
128KB
-
memory/2372-3-0x0000000074270000-0x000000007495E000-memory.dmpFilesize
6.9MB
-
memory/2372-4-0x0000000074270000-0x000000007495E000-memory.dmpFilesize
6.9MB
-
memory/2372-5-0x0000000074270000-0x000000007495E000-memory.dmpFilesize
6.9MB
-
memory/2372-8-0x0000000074270000-0x000000007495E000-memory.dmpFilesize
6.9MB
-
memory/2992-11-0x00000000000A0000-0x0000000000130000-memory.dmpFilesize
576KB