26203706cba58a2652434375528a145994353a918a80d90066e2071785c8a5ec

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 21:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe
Size

226KB
MD5

0f96f7fb12ae00ba9cdcf74a8b44455b
SHA1

d6cd60de717b8e3bb280933a357ff8ddc9e367f2
SHA256

26203706cba58a2652434375528a145994353a918a80d90066e2071785c8a5ec
SHA512

a8eab1ad1433c79bf71465d15d4cdcd212ce00234afa3cc3469a13072ea95b3bac79f1560876875b1c72fb0d552dc78acd8103c3363348445e13c9d05aeb5df3
SSDEEP

3072:ta9pVd66uFW3P4a+qsv2lN+byKM3t6VP4oqB1ePKdU3DH89wBmo:ta9pVTbR+fv2l0brM6B/qB1ePKAvl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3056	system.exe

Executes dropped EXE 2 IoCs

pid	Process
3056	system.exe
2792	system.exe

Loads dropped DLL 5 IoCs

pid	Process
3056	system.exe
2792	system.exe
2792	system.exe
2792	system.exe
2792	system.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bak8011252.log	0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsUpdate\360safe.exe	0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsUpdate\360safe.exe	0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsUpdate\ControlPanel.cpl	0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Realtek\EditorsUI.dll	0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3008	0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe
3056	system.exe
3056	system.exe
2792	system.exe
3056	system.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeRestorePrivilege	3008	0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 3056	3008	0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe	28
PID 3008 wrote to memory of 3056	3008	0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe	28
PID 3008 wrote to memory of 3056	3008	0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe	28
PID 3008 wrote to memory of 3056	3008	0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe	28
PID 3008 wrote to memory of 2792	3008	0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe	30
PID 3008 wrote to memory of 2792	3008	0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe	30
PID 3008 wrote to memory of 2792	3008	0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe	30
PID 3008 wrote to memory of 2792	3008	0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f96f7fb12ae00ba9cdcf74a8b44455b_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\system.exe
  C:\system.exe C:\PROGRA~1\WIFE7F~1\CONTRO~1.CPL comdl2
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3056
- C:\system.exe
  C:\system.exe C:\PROGRA~1\Realtek\EDITOR~1.DLL comdl2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2792

C:\Windows\System32\svchost.exe
C:\Windows\\System32\\svchost.exe -k netsvcs
1⤵
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Realtek\EditorsUI.dll

Filesize
30.2MB

MD5
1f987419a0af96a270d909887817bb85

SHA1
4f19ae0307387b6f2a2429647fabc0291f8491c4

SHA256
f6a6561a2fd1c1a80758418b37fd7b05d7debc2cf718d0759ab401be4f554996

SHA512
45fdb9ec48fa5fba3c51f6a66240feeb88b023faa77dc6d6a2a0b4159d03301e004f92ca739ed2681c59e6a1e3a00edd433f9120aab5a2cf294c77588d5fe823

Download Submit
C:\Windows\SysWOW64\bak8011252.log

Filesize
84B

MD5
717073e0284d563827e8646ea002190b

SHA1
6d4d8d32778f44694291737fdd85c5d4fd413bf2

SHA256
ffdd9d5d4a1f1b76fcb52590c10df3594fc4b703abe367f8361ad362e9ab51f3

SHA512
24cbbf639551a6f90b5fd4f8539a4d480b71a51600411b1c8c39cd661a596e6269254d13b16221cb8db61ded20af419a287d9e15d3cdfa66e5099d1dd4c41ad2

Download Submit
C:\system.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/3008-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download