24bd6e44239e21ce59e11f486f3d7fc38a92ac59300e7df2dfee7a2a7f9f68d5

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a573721bac8c733f1c12f565a0f13425_JaffaCakes118.exe
Size

341KB
MD5

a573721bac8c733f1c12f565a0f13425
SHA1

7bc3fde437ec620835aed454e46f0d9ed489f1f3
SHA256

24bd6e44239e21ce59e11f486f3d7fc38a92ac59300e7df2dfee7a2a7f9f68d5
SHA512

c8f1d819cfe067725ccf921ba9d9419b096b6b3d267c6d1cea554e5d63e038b42a34f853e1f47f7d6f6305cc327740d659473182e8d8ab0f235c0f939096ad83
SSDEEP

6144:E1f3p4J7kSBQW1L9yM37MO6tEjsV+wD8+O7fy2my15THWf:Gh4l1L9DgOCuQ+Y3O7fyzcTHWf

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2184	Alarmed Group.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	a573721bac8c733f1c12f565a0f13425_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	a573721bac8c733f1c12f565a0f13425_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\TempCheck.job	a573721bac8c733f1c12f565a0f13425_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a573721bac8c733f1c12f565a0f13425_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a573721bac8c733f1c12f565a0f13425_JaffaCakes118.exe"
1⤵
- Maps connected drives based on registry
- Drops file in Windows directory
PID:2204

C:\Users\Admin\AppData\Roaming\Alarmed Group\Alarmed Group.exe
"C:\Users\Admin\AppData\Roaming\Alarmed Group\Alarmed Group.exe"
1⤵
- Executes dropped EXE
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Alarmed Group\Alarmed Group.exe

Filesize
64KB

MD5
31ad2cc8dcdd5f51175db4007cb39787

SHA1
582d4c3b30b77c8dacc6d3c0f69fc8890ccc69cf

SHA256
4d218e27a4f2fc0b555d12c139d19bac6e1f91ee853d964cbd59894df8bc3055

SHA512
a7defdcc8163188db356581fe9f4b73548a4c5c167dcdabfe554b2b25865eb40e82689c7f98ddfdff764e3302adf184ea860f9bb13c4fa035e36cdd893a49fec

Download Submit
memory/2204-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2204-3-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2204-2-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2204-1-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2204-4-0x0000000000110000-0x0000000000139000-memory.dmp

Filesize
164KB

Download
memory/2204-5-0x0000000000160000-0x000000000018F000-memory.dmp

Filesize
188KB

Download
memory/2204-16-0x0000000000110000-0x0000000000139000-memory.dmp

Filesize
164KB

Download
memory/2204-12-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/2204-9-0x0000000000110000-0x0000000000139000-memory.dmp

Filesize
164KB

Download
memory/2204-25-0x0000000000110000-0x0000000000139000-memory.dmp

Filesize
164KB

Download
memory/2204-28-0x0000000000110000-0x0000000000139000-memory.dmp

Filesize
164KB

Download