dddea2f6e33dfb8017e4a91765a7ce8c30f84cdbf37d03e483a01b89aec0a562

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 22:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0fbe6d71a7bda68660520755acc01804_JaffaCakes118.exe
Size

96KB
MD5

0fbe6d71a7bda68660520755acc01804
SHA1

6439a86957ac2c852e243b224ecc89369caa862b
SHA256

dddea2f6e33dfb8017e4a91765a7ce8c30f84cdbf37d03e483a01b89aec0a562
SHA512

8c5dc6ff3d7e32d62d679593487ab09c1df0ad45f0a899ddfd655c59cea2bbd7e8667b713b5617e48ef35a54907fd02998a282277dee0c6f662a3a05cd1448fd
SSDEEP

1536:+nRDdoT5ByBtnGxYbee2lAVJkEtQwoAzkIvc0rqVq5GnE9unGg1cQ7IoqAqLWQuN:yc5kBtGxJneJERAw9E9cFmQ7INA4t/IN

Score

7^/10

vmprotect

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2764	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
1816	rundll32.exe
1816	rundll32.exe
1816	rundll32.exe
1816	rundll32.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2088-0-0x0000000000400000-0x0000000000441000-memory.dmp	vmprotect
behavioral1/memory/2088-1-0x0000000000400000-0x0000000000441000-memory.dmp	vmprotect
behavioral1/memory/2088-20-0x0000000000400000-0x0000000000441000-memory.dmp	vmprotect

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Darkbomb.dll	0fbe6d71a7bda68660520755acc01804_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2796	2088	0fbe6d71a7bda68660520755acc01804_JaffaCakes118.exe	28
PID 2088 wrote to memory of 2796	2088	0fbe6d71a7bda68660520755acc01804_JaffaCakes118.exe	28
PID 2088 wrote to memory of 2796	2088	0fbe6d71a7bda68660520755acc01804_JaffaCakes118.exe	28
PID 2088 wrote to memory of 2796	2088	0fbe6d71a7bda68660520755acc01804_JaffaCakes118.exe	28
PID 2796 wrote to memory of 1816	2796	cmd.exe	30
PID 2796 wrote to memory of 1816	2796	cmd.exe	30
PID 2796 wrote to memory of 1816	2796	cmd.exe	30
PID 2796 wrote to memory of 1816	2796	cmd.exe	30
PID 2796 wrote to memory of 1816	2796	cmd.exe	30
PID 2796 wrote to memory of 1816	2796	cmd.exe	30
PID 2796 wrote to memory of 1816	2796	cmd.exe	30
PID 2088 wrote to memory of 2764	2088	0fbe6d71a7bda68660520755acc01804_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2764	2088	0fbe6d71a7bda68660520755acc01804_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2764	2088	0fbe6d71a7bda68660520755acc01804_JaffaCakes118.exe	31
PID 2088 wrote to memory of 2764	2088	0fbe6d71a7bda68660520755acc01804_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\0fbe6d71a7bda68660520755acc01804_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fbe6d71a7bda68660520755acc01804_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "c:\support338945a0.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe Darkbomb.dll FunctionStart
    3⤵
    - Loads dropped DLL
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0FBE6D~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Darkbomb.dll

Filesize
42KB

MD5
cd7c4b4ea5da926d4b166b5a577c6b87

SHA1
78a18a4d1e628957221bbba7dc6a129cbffee719

SHA256
f2b482023389f42578000a3bbefaa7df0e0dae11df82ab142a111c9ba556fa40

SHA512
2ffd9ce2b1819c620bd90da87497b509114bbf8833d741ea609c4515144d2408282fd57807443b4ab47562c9721426ea3826a4e3991a182ee0777f4042433321

Download Submit
C:\support338945a0.bat

Filesize
39B

MD5
d6ad254c75599ac9ceb317d261cfe354

SHA1
f9c9bae9bdba0ea9d3c486e13cb554ec9b010909

SHA256
3142a7859b079df4a8fd3daf7a9d0057dd2c18ca302c69a6f9526ee543c9a655

SHA512
b05820cab51f66b5b8213359f0a0ddde125e3eab5fdfd196393dc805fc02fd9e72bdb1704cc0718131fc55a8b3d7cd7e54f53fa8140a187b508c443f6d85b473

Download Submit
memory/1816-18-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1816-19-0x000000001000E000-0x000000001000F000-memory.dmp

Filesize
4KB

Download
memory/1816-22-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2088-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download