Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-06-2024 23:38

General

  • Target

    046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe

  • Size

    413KB

  • MD5

    046997c4d35f39904d6fcf1d38952489

  • SHA1

    079f088c70f2a10dd6e3371e5473b7057d50f7ac

  • SHA256

    d7680f6572553bad5a5734d106e42aace4338b0a15ae584681481d3802b9eb8b

  • SHA512

    2de152c36cfea35986cd56531dd3c640722abb44c9865cebad0dc9e8a077dbde94f3cf6153ed5a1e5b35cca13aef102cbc8da673e86da917983952a8aa3ddba4

  • SSDEEP

    12288:/P6ys+NgzZhkDjhsrsSsQifn/9043t207pK4c:7BNUfkiQSK10YtHFK4c

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 53 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Drops file in Drivers directory
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\SysWOW64\regedit.exe
      C:\Windows\regedit.exe /S C:\Windows\system32\msscp.reg
      2⤵
      • Runs .reg file with regedit
      PID:2616
    • C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe
      2⤵
      • Drops file in Drivers directory
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\SysWOW64\regedit.exe
        C:\Windows\regedit.exe /S C:\Windows\system32\msscp.reg
        3⤵
        • Runs .reg file with regedit
        PID:2440
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" C:\Windows\web\Inde.html
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2460
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows\web\Inde.html
          4⤵
          • Modifies Internet Explorer settings
          PID:2496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\System\taobao.ico

    Filesize

    14KB

    MD5

    468fada123f5548ac87e57bae81f6782

    SHA1

    edb8f012c25906e6afd8bf335b495e16c440243d

    SHA256

    091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d

    SHA512

    635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa

  • C:\WINDOWS\system32\drivers\etc\hosts

    Filesize

    3KB

    MD5

    8ebaaf110f51a5d473bf713e602cfe70

    SHA1

    91dda6b9145553391117ea584b1baa94d757d74c

    SHA256

    9bb7d86f074b7941b97dadd516e7e53bc6304d11393bea53b0682df651e96fc3

    SHA512

    af842df53c7bbccb8fda1c95d8a8bce9a68376c1754bc7105459e7d86b723baba62625ccf9c5c2bbf32b18aa915e5779cd739c71892b629ceb6400c9fbc9d856

  • C:\Windows\SysWOW64\msscp.reg

    Filesize

    228B

    MD5

    2d06a424ad1c7611ea9caad93892ea26

    SHA1

    a901e15c2ecea498f1ca8ffc5d5c32bd3f0169d8

    SHA256

    8c19027357bcb3170b6844aec44cd4c143c7b795d5df52ff89426615010f715c

    SHA512

    3199dffce9d7625d9e01d7a06c912d3629e5f3d98d3935763df6b323807d46f24a40876d78d5ae7f7ac83c90e498e7c4810d88993904dbca1036e8c06833ccdf

  • memory/2664-0-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

  • memory/2664-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2664-27-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

  • memory/2924-11-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

  • memory/2924-10-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

  • memory/2924-25-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB