285f7e52ec6b57f86b0a77381ea5294b2a43eae5eaf24d3e3e073324431bc87e

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
Size

92KB
MD5

0df81a3f85555dd7b0c881c4a30690cc
SHA1

f4b1ad5409b9bb1a7633ed1a9ab1d098724710b1
SHA256

285f7e52ec6b57f86b0a77381ea5294b2a43eae5eaf24d3e3e073324431bc87e
SHA512

04034e234056149dcb775589db72b82ce419ca7c75344e30f75fb03095cad118c01d95135599869f5bf91e33b2cd7f3978e783548a619babf81107ee81e6ddbd
SSDEEP

1536:sUvqogQEhZTl1gYenMF2ur5WUc//////5CsfViNLa7mQX7lojHUk6MA7P+45KDrC:GbZJ1gFnMdWUc//////dis7mQXKYMwP/

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2568	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	wmnet.exe

Loads dropped DLL 3 IoCs

pid	Process
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
2728	wmnet.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
Token: SeDebugPrivilege	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
Token: SeDebugPrivilege	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
Token: SeDebugPrivilege	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
Token: SeDebugPrivilege	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
Token: SeDebugPrivilege	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
Token: SeDebugPrivilege	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
Token: SeDebugPrivilege	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
Token: SeDebugPrivilege	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
Token: SeDebugPrivilege	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
Token: SeDebugPrivilege	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
Token: SeDebugPrivilege	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
Token: SeDebugPrivilege	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
Token: SeDebugPrivilege	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2728	wmnet.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2120	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	28
PID 2004 wrote to memory of 2120	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	28
PID 2004 wrote to memory of 2120	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	28
PID 2004 wrote to memory of 2120	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	28
PID 2004 wrote to memory of 2772	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	29
PID 2004 wrote to memory of 2772	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	29
PID 2004 wrote to memory of 2772	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	29
PID 2004 wrote to memory of 2772	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	29
PID 2004 wrote to memory of 1676	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	30
PID 2004 wrote to memory of 1676	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	30
PID 2004 wrote to memory of 1676	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	30
PID 2004 wrote to memory of 1676	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	30
PID 2004 wrote to memory of 2556	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	34
PID 2004 wrote to memory of 2556	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	34
PID 2004 wrote to memory of 2556	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	34
PID 2004 wrote to memory of 2556	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	34
PID 2004 wrote to memory of 2588	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	35
PID 2004 wrote to memory of 2588	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	35
PID 2004 wrote to memory of 2588	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	35
PID 2004 wrote to memory of 2588	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	35
PID 2004 wrote to memory of 2552	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	36
PID 2004 wrote to memory of 2552	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	36
PID 2004 wrote to memory of 2552	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	36
PID 2004 wrote to memory of 2552	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	36
PID 2772 wrote to memory of 2600	2772	net.exe	40
PID 2120 wrote to memory of 2732	2120	net.exe	45
PID 2120 wrote to memory of 2732	2120	net.exe	45
PID 2120 wrote to memory of 2732	2120	net.exe	45
PID 2120 wrote to memory of 2732	2120	net.exe	45
PID 2772 wrote to memory of 2600	2772	net.exe	40
PID 2772 wrote to memory of 2600	2772	net.exe	40
PID 2772 wrote to memory of 2600	2772	net.exe	40
PID 2588 wrote to memory of 2924	2588	net.exe	42
PID 2588 wrote to memory of 2924	2588	net.exe	42
PID 2588 wrote to memory of 2924	2588	net.exe	42
PID 2588 wrote to memory of 2924	2588	net.exe	42
PID 2552 wrote to memory of 2456	2552	net.exe	43
PID 2552 wrote to memory of 2456	2552	net.exe	43
PID 2552 wrote to memory of 2456	2552	net.exe	43
PID 2552 wrote to memory of 2456	2552	net.exe	43
PID 2556 wrote to memory of 2592	2556	net.exe	41
PID 2556 wrote to memory of 2592	2556	net.exe	41
PID 2556 wrote to memory of 2592	2556	net.exe	41
PID 2556 wrote to memory of 2592	2556	net.exe	41
PID 1676 wrote to memory of 2920	1676	net.exe	44
PID 1676 wrote to memory of 2920	1676	net.exe	44
PID 1676 wrote to memory of 2920	1676	net.exe	44
PID 1676 wrote to memory of 2920	1676	net.exe	44
PID 2004 wrote to memory of 2728	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	46
PID 2004 wrote to memory of 2728	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	46
PID 2004 wrote to memory of 2728	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	46
PID 2004 wrote to memory of 2728	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	46
PID 2004 wrote to memory of 2568	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	47
PID 2004 wrote to memory of 2568	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	47
PID 2004 wrote to memory of 2568	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	47
PID 2004 wrote to memory of 2568	2004	0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe	47

C:\Users\Admin\AppData\Local\Temp\0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0df81a3f85555dd7b0c881c4a30690cc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:2732
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2600
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:2920
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:2592
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2924
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:2456
- C:\Users\Admin\AppData\Local\Temp\wmnet.exe
  C:\Users\Admin\AppData\Local\Temp\wmnet.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\avp.exe
  2⤵
  - Deletes itself
  PID:2568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\qrqwerwqer.dll

Filesize
14KB

MD5
570ac7316faa61b931e27170eb59f088

SHA1
753c05fd54477cb1abe60a0eae9c4e19f4a1afbd

SHA256
ef89184861810c696b97454edbad1d138f124a48bdfa8cfd319f31a869d0bbfc

SHA512
49d7dfeaa97c77d64b39e6e5b7a1cbb3bfe18c46526bc992d8e8ba5927ab124e07153b543f0ba38c480741a4f49befd52ad0223ba638510e50c4c1c2608b0f61

Download Submit
\Users\Admin\AppData\Local\Temp\wmnet.exe

Filesize
23KB

MD5
b22032a2834c7920a9b971d95f09b105

SHA1
e463bdf01ea107e7f7bf0fb4e21c3defbceac524

SHA256
4f4e7664575e445a56fddbbbd860bb2fa1e047ea0f06d9df1be8fe8b490dfdbe

SHA512
6a566ab03d95ceeeea4d76cafb3b54cb43d12dae0678d3650db5705dffbf5cbe93c7ec31d11151a0ad7cd9ce6f38f9186d5a2d2c329b248f1c38db4d305f01e7

Download Submit
memory/2004-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2004-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2004-19-0x000000000E000000-0x000000000E01F000-memory.dmp

Filesize
124KB

Download
memory/2728-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2728-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download