Analysis

  • max time kernel
    138s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 08:06

General

  • Target

    114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe

  • Size

    528KB

  • MD5

    114b0b606e5cf7427184bc390c79ba9c

  • SHA1

    206f74ec955d64dfc3dff8d8181e4f2137c4b909

  • SHA256

    afb9216450c8dcb6b63ba81c8425d561568f7e20831e12227d6d1fa997e3fae1

  • SHA512

    637ff291ec3bf8e12edbe51a6a207e5a280a2f77e2b64a748dd7e7019f2229fdd1e70d12d63a169fde58dbe7544c2296c9fee922f59ab65e5c3ce2dd2aafbb01

  • SSDEEP

    12288:aX9mcUsSzxGztt/XLTIbhuqge68EEo+ulEl6HxTO4aO:we1xoLvQbhqe66o+2H84aO

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 5 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Drops file in System32 directory 3 IoCs
  • Modifies data under HKEY_USERS 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\114b0b606e5cf7427184bc390c79ba9c_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
      2⤵
      • Deletes itself
      PID:2988
  • C:\Windows\SysWOW64\ChackPro.exe
    C:\Windows\SysWOW64\ChackPro.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

    Filesize

    228B

    MD5

    41b09be07764ced7d6de33de45b5bcae

    SHA1

    1c7458d40156b10929a7e2edb2fa6fa25c71365d

    SHA256

    f7072adedb23f30437e77d19b4ea5eb2c4e4f24c7601c4b2366424b9e30479bb

    SHA512

    5e1e594e09bd2c551fb3d00d5464619107a002228a19535bbfbf73bb713d774f6198ec0521dd5fcc50a33901611e77f0e21f70bb676e986b8606fcf617050fe6

  • C:\Windows\SysWOW64\ChackPro.exe

    Filesize

    528KB

    MD5

    114b0b606e5cf7427184bc390c79ba9c

    SHA1

    206f74ec955d64dfc3dff8d8181e4f2137c4b909

    SHA256

    afb9216450c8dcb6b63ba81c8425d561568f7e20831e12227d6d1fa997e3fae1

    SHA512

    637ff291ec3bf8e12edbe51a6a207e5a280a2f77e2b64a748dd7e7019f2229fdd1e70d12d63a169fde58dbe7544c2296c9fee922f59ab65e5c3ce2dd2aafbb01

  • memory/1732-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/1732-11-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2980-3-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

  • memory/2980-13-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB