097220ee85e37169d54e160276aaad25425636826facccd17ecbd5ab31d4d228

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe
Size

69KB
MD5

0ca59122f5d3a3853e67612a48df78ab
SHA1

23d167aa148010956ee0fdb19db0cf730b5608de
SHA256

097220ee85e37169d54e160276aaad25425636826facccd17ecbd5ab31d4d228
SHA512

b0701162232d645779a8672f535ff07e4286f36edf48a336fefb84ddc4437e5bd2b8be5d29f3bb9c2184ad4c4f0605f936b808101ab277ba6365a90aeb5bb12c
SSDEEP

1536:FNxU+W+73uSpoo3e/8+dcr2yS7yt0xzSjo+QQad:NU+W+qNo3e9Sy/K882

Score

8^/10

persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\system32\\\\services.exe"	0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hnca30 = "C:\\Windows\\system32\\.exe"	0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\†\mirror.exe	0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\†	0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\†\scservice.exe	0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\†\hnca30.exe	0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\†\hnca30.exe	0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\†\servicess.exe	0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\†\servicess.exe	0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\†\mirror.exe	0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\†\netdhcp.exe	0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\†\scservice.exe	0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\†\netdhcp.exe	0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ca59122f5d3a3853e67612a48df78ab_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\†\hnca30.exe

Filesize
70KB

MD5
8a3c0dfa6d248660d028f99b897851d9

SHA1
1677d338a89cdc83d646d290f5ee199c6d8ce1c0

SHA256
5aba42d3009614c59f1d0407009ac7ad2468752a95a0327e7e6a8355fcf0fbd0

SHA512
94abb0d4922b34ef995d9ae2dc017b7c93af8373a9a4e610833e1be6c2120fcf34a72039c6ae2440164d7eba75b43e824d190277edfba59b0d4a8c608fe98c14

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads