Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    04/06/2024, 21:19

General

  • Target

    964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe

  • Size

    748KB

  • MD5

    964be19e477b57d85aceb7648e2c105d

  • SHA1

    6c8ab56853218f28ac11c16b050ad589ea14bafe

  • SHA256

    9843ceaca2b9173d3a1f9b24ba85180a40884dbf78dd7298b0c57008fa36e33d

  • SHA512

    60379f9bf7f4e59f81f95898d1b0c10ea82abd306dbdf4dfef921e873bf4c3d2c4914d498efa16d60c52171a1802099c3c61289a12c64f13ea9457cd807ce4ca

  • SSDEEP

    12288:0EI6h2sJXCB1joFX4HcTHQPviK5qXOlL29huNghWdLzqCTz0MDNhmku02k//m1:0EPXCzoXPQR5qXfDsghWxnTz0eNhFn2c

Score
8/10

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies registry class 6 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\964be19e477b57d85aceb7648e2c105d_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\NetWork\dat.dll" IncrementPageCount [303]
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\cmd.exe /c C:\Windows\system32\CompMgmtLauncher.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Windows\system32\CompMgmtLauncher.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2740
          • C:\Windows\system32\CompMgmtLauncher.exe
            C:\Windows\system32\CompMgmtLauncher.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2756
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\wserver.exe
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2664
              • C:\Users\Admin\AppData\Local\Temp\wserver.exe
                C:\Users\Admin\AppData\Local\Temp\wserver.exe
                7⤵
                • Sets DLL path for service in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2896
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c "C:\Users\Admin\AppData\Local\Temp\writeservice.bat"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2584
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 127.0.0.1
                    9⤵
                    • Runs ping.exe
                    PID:2728
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\delself.bat"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1816
  • C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    1⤵
      PID:2408
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe Nwsapagent 2572
        2⤵
          PID:2812
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe Nwsapagent 2600
          2⤵
            PID:2260

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\NetWork\dat.dll

          Filesize

          212KB

          MD5

          fff3c03e6c455eaba70ec816a4439b95

          SHA1

          e102a2ff536d2df93ec9c507e52c04bba773b550

          SHA256

          9969fc3043ed2917b76b6dbae36bd2e0846b90e9d93df4fc4f490fdf153da435

          SHA512

          c07edbc760e769dc0dc6adcd83f2b9b7fa3e845286f19dfbfe8bb8df56bbdbc8b4e5f0e794834d3ecfcf37ea7de8011f86d9153dfec6603f2fa4fc0d5c1414d9

        • C:\ProgramData\NetWork\key.dat

          Filesize

          261KB

          MD5

          ae755e20cd3a6f2721096736c5c3aed5

          SHA1

          53ab54c2c3ea3d6921fa2bf5fde69255dc41fbed

          SHA256

          1687af091d38108eeed634c0539b9639c6128aed9588a370f51a957bee534f39

          SHA512

          73b68961457b2525a4703ea8486f37d4beabdb4f85c65971cfa953e0a3dd36724811a12a933b291b34f11a5d8b4cb11d4af3747e2506c345ab81bcae3fb8f810

        • C:\ProgramData\resmon.res

          Filesize

          2KB

          MD5

          12547deaeccf3c2089669889787a3fe8

          SHA1

          7ad71ad103d41f596c934c8b7be39561a9f908d9

          SHA256

          e935dd62556538f08b020d5b2246702f08fd08880a99704466b9a852c23d073a

          SHA512

          a0c416efe352fc704491ea2d82334155b1b79449857baf72edfb8e7a36730b571c17e38f4ac9815a413b2add2dcdcc58ebfe9aa0df51cc18b28c07b93e1f2f9a

        • C:\Users\Admin\AppData\Local\Temp\delself.bat

          Filesize

          299B

          MD5

          13aaf8bf3813fac2b81c80abf3302911

          SHA1

          fd8f5360af4ca87da0f09558b9c09b04adcf6141

          SHA256

          5ec581b64d2091415e6e3a6e0bb846e634a7f83918a965ef129dfb97bf210e9f

          SHA512

          dab8bd87a22cb4397c0196d05a97783fc7b442faa5d485dbdce0d02f6496a2f3e1147897019f5cfc185f8c0a413a667508ddc6cc02863c65800bf3a201ab6e40

        • C:\Users\Admin\AppData\Local\Temp\writeservice.bat

          Filesize

          226B

          MD5

          aff6285257f73b114174b04102c04735

          SHA1

          9e4a561dd7c8b8161a2720e375fc99ab02fc1b9b

          SHA256

          0ce4e59a2763ae7a92bd0e13d8716bf550085f0ac9f4cec0702a9c0ce30c03a3

          SHA512

          0c612f4cebcc0c319dc46e31111a78bde9a6a8d6700c6066bec679f8fa1cc813d819b8dc26de7a1f7f6a3407c73999814798c12c2e3507d9350686eeea48fada

        • C:\Users\Admin\AppData\Local\Temp\wserver.exe

          Filesize

          36KB

          MD5

          18ea3d4c9639a696b96e49f53af2b161

          SHA1

          5c1d4af865b4d514340d6a2dbb42523a142ab5d8

          SHA256

          690f5bd392269d80061e8e90a9aedac4f9bb2e898db4211b76a6e27a1ed95462

          SHA512

          fd6d79a533cb3fe255053e962fac882864be708b19b1c8922652e2bef4eda01ef209220ab06503adbbca047b833fb50ffac8fb66e490ce93e42d34cb9e51a892

        • \??\c:\windows\systemfile.DLL

          Filesize

          56KB

          MD5

          89de9c0ce214d2e437e2ce6d266ab100

          SHA1

          cebabb80844c823df4539f4db29d7bca27e1f50a

          SHA256

          7bd1016b5f3a5004166de5cf7f1846024684979de413417d83321c931c1b5929

          SHA512

          ed8ad8bb8b4e065fb890acf0dadaa494a2f03b8c76dca17c15141cfa9129fdd63b5f3e099195c806ef37c1f55ff5b8b82728c44b165bc06bdc270e3fdba8eeed

        • memory/1728-2-0x00000000003D0000-0x00000000003D1000-memory.dmp

          Filesize

          4KB

        • memory/1728-1-0x00000000002C0000-0x00000000002C1000-memory.dmp

          Filesize

          4KB

        • memory/2072-17-0x00000000003D0000-0x0000000000412000-memory.dmp

          Filesize

          264KB

        • memory/2260-42-0x0000000000020000-0x000000000003B000-memory.dmp

          Filesize

          108KB

        • memory/2572-34-0x0000000010000000-0x0000000010011000-memory.dmp

          Filesize

          68KB

        • memory/2600-51-0x0000000010000000-0x0000000010011000-memory.dmp

          Filesize

          68KB

        • memory/2812-32-0x0000000000080000-0x0000000000096000-memory.dmp

          Filesize

          88KB

        • memory/2812-36-0x0000000000020000-0x000000000003B000-memory.dmp

          Filesize

          108KB