f3d18451c7d46218a8575931131272ea3789787f09d5174d97e270db4512c93e

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
Size

98KB
MD5

0e2b774ae436ccbed68094cdafb2a4e2
SHA1

85ff332a041ea1f32dbea92403b92c7c0773143d
SHA256

f3d18451c7d46218a8575931131272ea3789787f09d5174d97e270db4512c93e
SHA512

31cd5bec68275d476e8c71c7f4d16bd1c660754db90b9fc019b8f25a03763078c12732b3c498b128ed4690800f91e461caf4b0b042b70abadad6a6d91bb2bb94
SSDEEP

1536:GCmqdgiJvXTbGyx7/ggRYJJnbZfxtt1V1yfm0jLxxayPIDACBWm5+/jnpRG7AAL6:1rvXTS47/rRYrn1R70fxrAclpqxH0Z

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Loads dropped DLL 5 IoCs

pid	Process
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\apilogen32.dll	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-032.dll	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\clb32.dll	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-032.dll	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmifw32.dll	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2424 set thread context of 3032	2424	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	28

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 3032	2424	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	28
PID 2424 wrote to memory of 3032	2424	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	28
PID 2424 wrote to memory of 3032	2424	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	28
PID 2424 wrote to memory of 3032	2424	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	28
PID 2424 wrote to memory of 3032	2424	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	28
PID 2424 wrote to memory of 3032	2424	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	28
PID 2424 wrote to memory of 3032	2424	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	28
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21
PID 3032 wrote to memory of 1192	3032	0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0e2b774ae436ccbed68094cdafb2a4e2_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-032.dll

Filesize
132KB

MD5
d81dc5f858e73ff5b508733d40a7d104

SHA1
d908a12f9e00dc88996227e691f6f848c3b82fd3

SHA256
36d05726c45324a7ba38bdfa58318996dc10b545e82974f6775c8722791dbfe3

SHA512
83b817650d1c99ab931354fd6b83d3654d730c409ae2eeb35fc263e37554b29087bb0ecfda6a1d08bf0d1860bdbbcff9d62eb67da0b9714d759cf1df23704eb9

Download Submit
memory/1192-15-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/2424-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3032-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3032-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3032-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3032-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3032-4-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3032-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3032-35-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3032-61-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download