Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 07:57

General

  • Target

    04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe

  • Size

    18KB

  • MD5

    04313e8642119d3b34a3d8ac56908465

  • SHA1

    6ec322d2d21a961d518dbc8afe0fe10f6ad2b3cd

  • SHA256

    6e98178ce94732d4177769617c11fa57951047677ddd6ce1680e2b3a178a8c95

  • SHA512

    712a4e3b69f16253b0b7314aa27e125d2dc166af3c18efc513e9fb9fb176a7caf707a5b7117137df72d143958770724dcd7a1cd4c351a1af6371816f454f0a5d

  • SSDEEP

    384:KRMCYSeqSEyk1hZAUuTbsHFNm5W/1XIJhm124:KRzeqSReUJXMm58

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Modifies Internet Explorer settings 1 TTPs 11 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\04313e8642119d3b34a3d8ac56908465_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\SysWOW64\ctfmon.exe
      ctfmon.exe
      2⤵
        PID:2156
      • C:\Users\Admin\AppData\Local\Temp\iebtmm.exe
        C:\Users\Admin\AppData\Local\Temp\iebtmm.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\iebt.dll

      Filesize

      7KB

      MD5

      1751401df95a07f46f382ca64e371ce2

      SHA1

      292bf09ba3f550f2570d0852dfc31d70c0d3539b

      SHA256

      e74eb2d590f545290c3e42c9b6369869d180204d0c393af1db01bf3e3f25f634

      SHA512

      9e2ddcfdca8227b02baf34d893876dd393d7bf45dd347cc2a2dac98c43ea91088dca28457101c4a3d76e247beaf324f4bf0f863da611b331fd18b8ecbdcea3a1

    • \Users\Admin\AppData\Local\Temp\iebtmm.exe

      Filesize

      5KB

      MD5

      9b0f66fdd9cd358a62c3c9fcc20ec5cc

      SHA1

      82a176fa4224c6b68deb641745954ea9db65ede0

      SHA256

      560649782e14d9ddc13be659c6b9d9b812de83dcd8a8272729413e8527533fe9

      SHA512

      9b6d7b5c6e59a8c4acd2c84195ebaa40a7433350acb4152ab0d8c9b8496a9197cf3231a8c1bb7fbb6421c68487394aa318d7d7078ddd5556dc92e784614b9a60

    • memory/1916-0-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

    • memory/1916-4-0x0000000010000000-0x0000000010009000-memory.dmp

      Filesize

      36KB

    • memory/1916-8-0x0000000000260000-0x0000000000267000-memory.dmp

      Filesize

      28KB

    • memory/1916-15-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

    • memory/1916-18-0x0000000010000000-0x0000000010009000-memory.dmp

      Filesize

      36KB

    • memory/1916-20-0x0000000000260000-0x0000000000267000-memory.dmp

      Filesize

      28KB

    • memory/2960-14-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/2960-16-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB