0b5772eed28349c5a87d93423766a235337968e1f97602d7869f426dc10d305a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 07:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe
Size

12KB
MD5

03d98dd0272abf54fd37e137e1c00dbe
SHA1

caddad75e43e5d447b2ed2a6d1242400edb6aab2
SHA256

0b5772eed28349c5a87d93423766a235337968e1f97602d7869f426dc10d305a
SHA512

89758c17217a8e19cf1ebb3477bfe0502e2638229888e92c88b3dfc45398a0c6a5669780e9d79480ea7c317e06171ecc72f59e574d8077f328b15b733840f405
SSDEEP

384:xc+jY2ZNii+YANVkZpFbml2tBQVABKNYP:e+jZ4NVkrFb4a4OuY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zhrsntxo.dll = "{32049D7A-E017-435c-A161-BDCB7874B580}"	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2944	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1700	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zhrsntxo.tmp	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zhrsntxo.tmp	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zhrsntxo.nls	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32049D7A-E017-435c-A161-BDCB7874B580}	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32049D7A-E017-435c-A161-BDCB7874B580}\InProcServer32	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32049D7A-E017-435c-A161-BDCB7874B580}\InProcServer32\ = "C:\\Windows\\SysWow64\\zhrsntxo.dll"	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32049D7A-E017-435c-A161-BDCB7874B580}\InProcServer32\ThreadingModel = "Apartment"	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1700	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe
1700	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1700	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe
1700	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe
1700	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2944	1700	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2944	1700	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2944	1700	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2944	1700	03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03d98dd0272abf54fd37e137e1c00dbe_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\8F64.tmp.bat
  2⤵
  - Deletes itself
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8F64.tmp.bat

Filesize
207B

MD5
d94fba24da976e1983f06b0884ead24d

SHA1
944a241e7c0f73aa9f1defefdb3bd22bfcc3e7e7

SHA256
584608ae5bb4d8310a04023c87b8af77b9813d82b21d673d17631cd346b97fe7

SHA512
09f485223dae983554bb99225c9bf32a8b6cb628e6bf7a08bdf680342a9656aba8e90b86a2ee3ffdad537a2122b091406935ef63b73e1c294cfed888a2c34488

Download Submit
C:\Windows\SysWOW64\zhrsntxo.tmp

Filesize
2.0MB

MD5
022be5be83acca0b49a889fff505589f

SHA1
a74c898c43b6d29a95fd440f887524194df1c1a0

SHA256
32c807b8e71919ee141e2661b399a18b3f18b852aa99b3f1e45870a03838fb8d

SHA512
1ab403567897e406fcd8de66e11b561a038b47db05fde14042698e94f858f1513664ecf4139f10caf06c99e5858294efc976b8095599dac3322a8f5955e40553

Download Submit
memory/1700-12-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1700-21-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download