Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 07:34

General

  • Target

    0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe

  • Size

    244KB

  • MD5

    0411fbf6288de3e978aefd69af73d00e

  • SHA1

    810344528cdf8b82cb9f9694ac607690c36961f8

  • SHA256

    c3b38963d437f369539cd22a21f83105f2febb99dc6feb30434f2f0bbb2f5d42

  • SHA512

    35ca2b2e6d7fa3de002d831d2de2fc64a4bb87181610f6760c83105e2f5edbd68a4004f864784fe1ca8ba4f4d0ce2034dbcd541fc8d011ab26a3724dd20ee772

  • SSDEEP

    3072:exBcTBPt+MxJwVEi/8HAuPX6HGJfKV2DVLoF4x7H9PoST:MBEBl+ywVEi/8HAuiHCftDVLoF4B9hT

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0411fbf6288de3e978aefd69af73d00e_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\glk_300_212.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:352
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 /s /c C:\Users\Admin\AppData\Roaming\PIPI\pwdedit.dll
        3⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies registry class
        PID:2208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

    Filesize

    858B

    MD5

    d727e34e3f5eb5ee1ce17fe4c66bf617

    SHA1

    ea796e8b305510775d244f30758e125a01569626

    SHA256

    d0cd1c2b674ee72b000ecacb181addd7735f4c3478731c23f4649e312e4c607d

    SHA512

    ae3028364bf02b3e7c78d7a44a3305537c16d7feefb9dd968296b86425babaccee81af0c40eb7f8f374266df0e2c3c1a08b6b951ceaddc55572d6f0f1e85705c

  • C:\Users\Admin\AppData\Local\Temp\glk_300_212.bat

    Filesize

    62B

    MD5

    f33f30c3cddbb32ce1641f7aa325a170

    SHA1

    dcaa649892d9acf11658bb7b85ae63b76d36a4a8

    SHA256

    efc90ad2a6161fb21977815aeb81095e82572a40a2b3ab69cd1abad04c6bc23d

    SHA512

    d07d64eaf8cee948de2099fc791f79a5b6a58529c760bd3f3105d2689708930026a54b3b27c0e55bbf4b3356ff9c8bd915704e80af7735a865bcf4a9abcadf79

  • C:\Users\Admin\AppData\Roaming\PIPI\pwdedit.dll

    Filesize

    7.2MB

    MD5

    5ae46845cf644cf46d738ee441adc7ce

    SHA1

    0128e5e263f351129c8ebbbeddb6d9b5ef122724

    SHA256

    483bb4fe1f45acd0013e863a70e58724dbceb1738a214ce3db15e7f9dbabf80e

    SHA512

    d7c8a8b73767432a1b81b70b700646a6d39a3e25632cec794fba673be9168d968f64042dadd5f80bf566b4b420fc28a85ce6beec57c716b0c51e321f01a2bd4a

  • \Users\Admin\AppData\Roaming\PIPI\pwdedit.dll

    Filesize

    6.9MB

    MD5

    24cf25203580aaed1edf6627e2de418d

    SHA1

    81ca5a48ad17f4738d4629c104b6e50933aaf7ad

    SHA256

    5a19568ac061c91f64a7747d39360bfd48d1cbe280626442911a953091277171

    SHA512

    fbe03be1d5a269cf28555823dbc1abb330e747af8034ceb096fc49e20803e9bdea9f8fe3e8c3811981f977381b5f7cdd295644e9dc68b143c1623897dd412e1b

  • memory/1460-0-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB