8f1efedc8a775a66d1f48033ce08ad85dd40382b802740a0c9c6be55e3081993

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe
Size

17KB
MD5

013ae272a8592dc71cf0e365224b4c5f
SHA1

07c0c948d1dfdadaf5ca4ad3218321510c3b20e7
SHA256

8f1efedc8a775a66d1f48033ce08ad85dd40382b802740a0c9c6be55e3081993
SHA512

561c1c3af88f37b72c98012f93cac797df5c0c2149ebf2ba0ff3e93f87038bb5688aa4cf36b60a2cfa303f5398da8d8fc5c2d3f9d1f6008fd1e7a55ed2f8a9dd
SSDEEP

384:Xb1YqflUofA8IT+kgPPYtCQ/ZfcyN5Q6gttA0nurPPnyhI:XbuCl5A8I7gYEwfcrJnqChI

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	ishost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\ishost.exe = "ishost.exe"	ishost.exe

Deletes itself 1 IoCs

pid	Process
3012	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1240	ishost.exe
2984	ismini.exe

Loads dropped DLL 4 IoCs

pid	Process
2056	013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe
2056	013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe
1240	ishost.exe
1240	ishost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ishost.exe	013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ishost.exe	013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ismini.exe	ishost.exe
File created	C:\Windows\SysWOW64\components\flx0.dll	ishost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2056	013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe
1240	ishost.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe
2984	ismini.exe
1240	ishost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2056	013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2056	013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 1240	2056	013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe	28
PID 2056 wrote to memory of 1240	2056	013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe	28
PID 2056 wrote to memory of 1240	2056	013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe	28
PID 2056 wrote to memory of 1240	2056	013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe	28
PID 2056 wrote to memory of 3012	2056	013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe	30
PID 2056 wrote to memory of 3012	2056	013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe	30
PID 2056 wrote to memory of 3012	2056	013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe	30
PID 2056 wrote to memory of 3012	2056	013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe	30
PID 1240 wrote to memory of 2984	1240	ishost.exe	29
PID 1240 wrote to memory of 2984	1240	ishost.exe	29
PID 1240 wrote to memory of 2984	1240	ishost.exe	29
PID 1240 wrote to memory of 2984	1240	ishost.exe	29

C:\Users\Admin\AppData\Local\Temp\013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\013ae272a8592dc71cf0e365224b4c5f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\ishost.exe
  C:\Windows\system32\ishost.exe
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\SysWOW64\ismini.exe
    C:\Windows\system32\ismini.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\013AE2~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ishost.exe

Filesize
32KB

MD5
250bc0514768909e6b12c0a8e6673241

SHA1
e162b2d21e160a98831239b8d284aa7d701b8979

SHA256
27198b8cdcc1afd9a26eac6c23c39575ed65c716d8028ed1e7b87dd3984d0fb1

SHA512
7b80b3f2405e9dc1729ce383bcb31e2ad514f9386be5cd2594e98261dde132548e04c632409fe0cc95c37b9bab8db5c43836455fda273dd13857e6402e04ab4d

Download Submit
\Windows\SysWOW64\ismini.exe

Filesize
4KB

MD5
35c39fa81fdcff270083aa152b00383c

SHA1
fa4349fec827bdb9816e99b42357a532ee5b35f5

SHA256
596ef02e8220280a5f62b24ac65701dbfdab4882d916756875ef019f81889c80

SHA512
c09736a6da1b1197480ac347fda66ed4b88f74d2888682f1ee89f5129d60ba0cd8c8f4720d2864e36c8b51eb68a2e1205254e7c7ca50481194e23bb9c5befbca

Download Submit