151718427cb036797df38697c4b2f2b8659c1650aaf70f04d5924c9e8723f582

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

031b2b443fa2998c7e64a57a737ac1e6_JaffaCakes118.exe
Size

21KB
MD5

031b2b443fa2998c7e64a57a737ac1e6
SHA1

85f1a30b0315a1f84012b5d65a72979c32b55ed5
SHA256

151718427cb036797df38697c4b2f2b8659c1650aaf70f04d5924c9e8723f582
SHA512

dbe0c710072a7d886dd96d18a0d90328f5b4ba9716d92fe6b625e5b984a3063633dfc8dcdffebed7617c2aafa7886f3f147e9bb7aa254a880599a68dbbf8e5e2
SSDEEP

384:bE3OL0e5yjM+2k/IQ69pZYu4jjpJkEpTVhAxfr6+e9Pfqbn1RW/Wb:bE3OL0eQjMG/IQupZYu4jjpesVyxOhab

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\8270DB72\ImagePath = "C:\\Windows\\system32\\9C57790F.EXE -k"	031b2b443fa2998c7e64a57a737ac1e6_JaffaCakes118.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000c00000001227e-2.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2220	9C57790F.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\9C57790F.EXE	031b2b443fa2998c7e64a57a737ac1e6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\9C57790F.EXE	031b2b443fa2998c7e64a57a737ac1e6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\9C57790F.EXE	9C57790F.EXE
File created	C:\Windows\SysWOW64\7B319609.DLL	9C57790F.EXE
File created	C:\Windows\SysWOW64\delme.bat	031b2b443fa2998c7e64a57a737ac1e6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2240	031b2b443fa2998c7e64a57a737ac1e6_JaffaCakes118.exe
2220	9C57790F.EXE
2220	9C57790F.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2684	2240	031b2b443fa2998c7e64a57a737ac1e6_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2684	2240	031b2b443fa2998c7e64a57a737ac1e6_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2684	2240	031b2b443fa2998c7e64a57a737ac1e6_JaffaCakes118.exe	29
PID 2240 wrote to memory of 2684	2240	031b2b443fa2998c7e64a57a737ac1e6_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\031b2b443fa2998c7e64a57a737ac1e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\031b2b443fa2998c7e64a57a737ac1e6_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\delme.bat
  2⤵
  - Deletes itself
  PID:2684

C:\Windows\SysWOW64\9C57790F.EXE
C:\Windows\SysWOW64\9C57790F.EXE -k
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\9C57790F.EXE

Filesize
21KB

MD5
031b2b443fa2998c7e64a57a737ac1e6

SHA1
85f1a30b0315a1f84012b5d65a72979c32b55ed5

SHA256
151718427cb036797df38697c4b2f2b8659c1650aaf70f04d5924c9e8723f582

SHA512
dbe0c710072a7d886dd96d18a0d90328f5b4ba9716d92fe6b625e5b984a3063633dfc8dcdffebed7617c2aafa7886f3f147e9bb7aa254a880599a68dbbf8e5e2

Download Submit
C:\Windows\SysWOW64\delme.bat

Filesize
239B

MD5
ed6f0d8ebc1f9d9fd471ef189fd940fb

SHA1
531102a07d39380a47b9e7ceea58714fc8e31ef0

SHA256
8300369425b50607d7c4bd087dc7c0d6749fd6a0b381be8fb9306811d2162350

SHA512
cf02cfe3d11dded9e4f726abceb1cd4a6cd16226bbed1ab257ec3498e136a699f461b14c1c652db73f091e75a22b291b968ec07adf70cfc13bee26f131fda676

Download Submit
memory/2220-3-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2220-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2240-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2240-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download