Analysis
-
max time kernel
141s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 11:11
Static task
static1
Behavioral task
behavioral1
Sample
b84cb1bf75e472973bed157bab410f04_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b84cb1bf75e472973bed157bab410f04_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
b84cb1bf75e472973bed157bab410f04_JaffaCakes118.exe
-
Size
300KB
-
MD5
b84cb1bf75e472973bed157bab410f04
-
SHA1
fe4d97e9fd68677ae1e1b459885b3979eabba445
-
SHA256
69377f70dc61fe37d51443a5ce8a312aa7b682c61574b8ff02fef4e9d798133a
-
SHA512
266128f62ef53d596196bed76ef94c9aef135f248a2c0a9b44a909bdff4613a048875d9a8debf7082e50eea29acb32891fd7edc535d085558a9250a5f402c9a8
-
SSDEEP
6144:IXTq8tcMqCZuCkGZGXOGrmtiwJpIS3tJ0dNaVcW+VoImI8EDQGXI/:38cMq8uepPrSNamDT98EdI
Malware Config
Extracted
buer
https://officewestunionbank.com/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\656f82acb09c236f5a68\\AutoReg.exe\"" AutoReg.exe -
resource yara_rule behavioral1/memory/1652-2-0x0000000000220000-0x000000000027C000-memory.dmp buer behavioral1/memory/1652-4-0x0000000040000000-0x000000004005D000-memory.dmp buer behavioral1/memory/1652-13-0x0000000000220000-0x000000000027C000-memory.dmp buer behavioral1/memory/1652-12-0x0000000040000000-0x0000000040BA8000-memory.dmp buer behavioral1/memory/1988-15-0x0000000040000000-0x0000000040BA8000-memory.dmp buer behavioral1/memory/1988-16-0x0000000040000000-0x0000000040BA8000-memory.dmp buer behavioral1/memory/1988-18-0x0000000040000000-0x0000000040BA8000-memory.dmp buer behavioral1/memory/1988-19-0x0000000040000000-0x0000000040BA8000-memory.dmp buer behavioral1/memory/1988-32-0x0000000040000000-0x0000000040BA8000-memory.dmp buer -
Deletes itself 1 IoCs
pid Process 1988 AutoReg.exe -
Executes dropped EXE 1 IoCs
pid Process 1988 AutoReg.exe -
Loads dropped DLL 2 IoCs
pid Process 1652 b84cb1bf75e472973bed157bab410f04_JaffaCakes118.exe 1652 b84cb1bf75e472973bed157bab410f04_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: AutoReg.exe File opened (read-only) \??\P: AutoReg.exe File opened (read-only) \??\Q: AutoReg.exe File opened (read-only) \??\T: AutoReg.exe File opened (read-only) \??\V: AutoReg.exe File opened (read-only) \??\S: AutoReg.exe File opened (read-only) \??\X: AutoReg.exe File opened (read-only) \??\E: AutoReg.exe File opened (read-only) \??\G: AutoReg.exe File opened (read-only) \??\K: AutoReg.exe File opened (read-only) \??\L: AutoReg.exe File opened (read-only) \??\O: AutoReg.exe File opened (read-only) \??\W: AutoReg.exe File opened (read-only) \??\Y: AutoReg.exe File opened (read-only) \??\Z: AutoReg.exe File opened (read-only) \??\B: AutoReg.exe File opened (read-only) \??\I: AutoReg.exe File opened (read-only) \??\J: AutoReg.exe File opened (read-only) \??\M: AutoReg.exe File opened (read-only) \??\R: AutoReg.exe File opened (read-only) \??\A: AutoReg.exe File opened (read-only) \??\H: AutoReg.exe File opened (read-only) \??\U: AutoReg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1652 wrote to memory of 1988 1652 b84cb1bf75e472973bed157bab410f04_JaffaCakes118.exe 28 PID 1652 wrote to memory of 1988 1652 b84cb1bf75e472973bed157bab410f04_JaffaCakes118.exe 28 PID 1652 wrote to memory of 1988 1652 b84cb1bf75e472973bed157bab410f04_JaffaCakes118.exe 28 PID 1652 wrote to memory of 1988 1652 b84cb1bf75e472973bed157bab410f04_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b84cb1bf75e472973bed157bab410f04_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b84cb1bf75e472973bed157bab410f04_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\ProgramData\656f82acb09c236f5a68\AutoReg.exeC:\ProgramData\656f82acb09c236f5a68\AutoReg.exe "C:\Users\Admin\AppData\Local\Temp\b84cb1bf75e472973bed157bab410f04_JaffaCakes118.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Deletes itself
- Executes dropped EXE
- Enumerates connected drives
PID:1988
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300KB
MD5b84cb1bf75e472973bed157bab410f04
SHA1fe4d97e9fd68677ae1e1b459885b3979eabba445
SHA25669377f70dc61fe37d51443a5ce8a312aa7b682c61574b8ff02fef4e9d798133a
SHA512266128f62ef53d596196bed76ef94c9aef135f248a2c0a9b44a909bdff4613a048875d9a8debf7082e50eea29acb32891fd7edc535d085558a9250a5f402c9a8