c5d007bbfef00088c3e0a9e37a02fedd5effc089c49e74f33e756ad22428df6f

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe
Size

19KB
MD5

0424bc63ed53a6e0ff5fa0f3d4292f27
SHA1

2353e1d8aa67bb4e542db632dada7c037973f2f0
SHA256

c5d007bbfef00088c3e0a9e37a02fedd5effc089c49e74f33e756ad22428df6f
SHA512

c3340411f1908bed6475a422f37813ff3fa84e34a7f489e3da975a1de5fe9fbafa4a5b6bf77637fb94b465a359774be06303eb8cc5c357787337664035dbd27e
SSDEEP

384:mSW/WMkGOu2urxMXxexWQxreVeimEb9w+obFWkHqyZwxQCQlhZqvOruy15a:BlmCxeYQJeVei5o9KSw6CYJrNo

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\8F54F3E6\ImagePath = "C:\\Windows\\system32\\C7EEC93C.EXE -k"	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1304	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2556	C7EEC93C.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\C7EEC93C.EXE	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\C7EEC93C.EXE	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\C7EEC93C.EXE	C7EEC93C.EXE
File created	C:\Windows\SysWOW64\delme.bat	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\C713F88.DLL	C7EEC93C.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2916	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe
2556	C7EEC93C.EXE
2556	C7EEC93C.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 1304	2916	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe	29
PID 2916 wrote to memory of 1304	2916	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe	29
PID 2916 wrote to memory of 1304	2916	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe	29
PID 2916 wrote to memory of 1304	2916	0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0424bc63ed53a6e0ff5fa0f3d4292f27_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\delme.bat
  2⤵
  - Deletes itself
  PID:1304

C:\Windows\SysWOW64\C7EEC93C.EXE
C:\Windows\SysWOW64\C7EEC93C.EXE -k
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\C7EEC93C.EXE

Filesize
19KB

MD5
0424bc63ed53a6e0ff5fa0f3d4292f27

SHA1
2353e1d8aa67bb4e542db632dada7c037973f2f0

SHA256
c5d007bbfef00088c3e0a9e37a02fedd5effc089c49e74f33e756ad22428df6f

SHA512
c3340411f1908bed6475a422f37813ff3fa84e34a7f489e3da975a1de5fe9fbafa4a5b6bf77637fb94b465a359774be06303eb8cc5c357787337664035dbd27e

Download Submit
C:\Windows\SysWOW64\delme.bat

Filesize
239B

MD5
d92befcac129a5e9dd5ac5ccda8161ab

SHA1
dee7e417e10528942eaf8df0acae653eaedde02a

SHA256
a2ffe925e64ed1a016f47a17eefcdef49b68389e5e5aaadbefe251e32f002131

SHA512
642461aa5e810486e436827e1850ec1328e5522c5fbd1eb101cd7e9c7d8ac4b4581ab106dd34a552cd1f3bb7f76310d774bbe7f0d04dc6ed81e19e65eab807ec

Download Submit
memory/2556-4-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2556-5-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2556-17-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2916-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2916-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2916-15-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download