c23a88218aefda1bfd2da60e61168a65302a0553bc89decb7f009327dc6efee1

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe
Size

73KB
MD5

02edae91d80c962fdbf656ed689f9dcd
SHA1

2186fada01cc536bbf3684e36c6abe541358b24d
SHA256

c23a88218aefda1bfd2da60e61168a65302a0553bc89decb7f009327dc6efee1
SHA512

8a8f17536f21382bceb61760e69314acd4d3aab2c3b6538cc6811266ff1b92576e17f4362e12b1227e3eb34d054a7900bbd8f24c53b284a04349b5d9d9f27365
SSDEEP

1536:RoIyF4R9jdKJRc0BkTBik2LtpsBTpWb8+uGOwdpSeOHF4iUMOida+2IJRy:RoIjjxcc0a4ITpWQ+rOw9OHF4dP4iIJY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2140	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\HELP\F3C74E3FA248.dll	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe
File opened for modification	C:\Windows\HELP\F3C74E3FA248.dll	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\HELP\\F3C74E3FA248.dll"	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2140	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2948	2140	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2948	2140	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2948	2140	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2948	2140	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2636	2140	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2636	2140	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2636	2140	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe	31
PID 2140 wrote to memory of 2636	2140	02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02edae91d80c962fdbf656ed689f9dcd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
41bd4f1cc6ab54687004d7b1015ba72e

SHA1
830b25b829026cc026af3bb5b952fc15b625bfbd

SHA256
b8ba34f3ce5cffbf0c4a1ffbcd57f82aefe281e1bd8c0a57fae4ac89d4aa5cf5

SHA512
a5f01d3200a13904b69d679227a5112ab9759bf14e36999fe238bda039e6ecef176ed1bd690cc43eaec610fa86792bcc8ed8d10bd01cf2e2a4439f7d72a442a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
71f796f6a74f137c987409d77e25e71a

SHA1
eb338aa51b2f05f3cfe99c30fa152a39cf833d33

SHA256
23fdb5beaca88dff043af84133aedf01764360bdf078547eaa226d83beaee4f4

SHA512
2a7f1aa660660e6d994f9b6bcdc2e3b8c888ddb52a969348a5522ecb0dc4be1b50a419d10cf3d7f7f87935ce5c84340af42df49d3dcef644403ac9e955932361

Download Submit
\Windows\Help\F3C74E3FA248.dll

Filesize
59KB

MD5
634146b344984452f0de80471de29e09

SHA1
e91ea5a7b6c397a771321aa9d9405ed665116fe0

SHA256
869b2d17eb352a93520bffc451c007e2e3fd67f90116b464fcc722a03b6ce797

SHA512
0ab63db4b9ecb20055f82aa383a5b3a8c10085169564e62080618056344489db7e8fb65b3c1c646255ec46842e29577bb2bc049ce8a8b9fb6e1d6e34c356d3bb

Download Submit
memory/2140-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2140-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2140-9-0x0000000000220000-0x0000000000320000-memory.dmp

Filesize
1024KB

Download
memory/2140-24-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2140-23-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download
memory/2140-22-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download
memory/2140-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2140-27-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download
memory/2140-28-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download