c0905037542b6509fdc3cc5146ab6c181b1d799ab9ea01d84aec78c574e9a966

Analysis

max time kernel
141s
max time network
139s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe
Size

1.0MB
MD5

0a0e21a4c70a1bfe6e97f39a1a79c639
SHA1

c0594ce0f3dd3b172a87618413a9219f34b71a26
SHA256

c0905037542b6509fdc3cc5146ab6c181b1d799ab9ea01d84aec78c574e9a966
SHA512

40c09f46eea499da18330972d71cb9ebbaca3f71f43fd63b034fb49b4712f25435bddb3c330bd5a7aa14df4c6b037063d7a05296242158bf4044b4671708aebd
SSDEEP

6144:LlJVQaL9M2Jktja5Uw1VQ3QBohoh/ACdVVzS2S1iTXuKUn2X5A2tyfDvdN9RS:Zb5eEUwxAoNZdVBS2S8XuKUn2ztypZS

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2480	MPG.exe
3012	server.exe
2676	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
3012	server.exe
3012	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winlogon.exe"	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2480	2164	0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe	28
PID 2164 wrote to memory of 2480	2164	0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe	28
PID 2164 wrote to memory of 2480	2164	0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe	28
PID 2164 wrote to memory of 3012	2164	0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe	29
PID 2164 wrote to memory of 3012	2164	0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe	29
PID 2164 wrote to memory of 3012	2164	0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe	29
PID 2164 wrote to memory of 3012	2164	0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe	29
PID 3012 wrote to memory of 2676	3012	server.exe	30
PID 3012 wrote to memory of 2676	3012	server.exe	30
PID 3012 wrote to memory of 2676	3012	server.exe	30
PID 3012 wrote to memory of 2676	3012	server.exe	30

C:\Users\Admin\AppData\Local\Temp\0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a0e21a4c70a1bfe6e97f39a1a79c639_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\MPG.exe
  "C:\Users\Admin\AppData\Local\Temp\MPG.exe"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MPG.exe

Filesize
267KB

MD5
7eae382c9ae3926316660c6ec8656f0e

SHA1
1ef1e41e0a6e5d23f1ddcde471c704c92303a982

SHA256
b7c46d3198f75d2ae544adcf9c25e1fadefb06c8fb6656f3b72e3c4c653cbef5

SHA512
5dcfd1ae6db3f8bff9d88dcbef82406197b515f63dac3f540319e215924b59e6f49ce91aa28fe8dadf081150ea158bc2b69d7d51234e5ac044962b9ac29e98a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
741KB

MD5
2a0ee7cb8a71f66a3e8a915b313d6386

SHA1
c092193b749664a3a5aec263cded84fb59fa0802

SHA256
4607cd8041a9047722b8b81c3c72b53beb03decc8e1f7389fcecaca55da4ce85

SHA512
666fa5876161d3e3dbf964c85f7d9476ca90e9a28c5cf986f1362ab36ed5783e2d316e1f4569a1b285259d697947fd9f1431de81fd840bc3998a8d960a681e7b

Download Submit
memory/2164-0-0x000007FEF5EEE000-0x000007FEF5EEF000-memory.dmp

Filesize
4KB

Download
memory/2164-2-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

Filesize
9.6MB

Download
memory/2164-3-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

Filesize
9.6MB

Download
memory/2164-33-0x000007FEF5EEE000-0x000007FEF5EEF000-memory.dmp

Filesize
4KB

Download
memory/2164-34-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-20-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-35-0x000007FEF5C30000-0x000007FEF65CD000-memory.dmp

Filesize
9.6MB

Download
memory/2676-31-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/3012-29-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads