ab7449501b5f3a4631f1535deb25e7ff2cb8893a40d2fc5f0b2689673282e827

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 04:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

14ac9f4db8ef39677f190848ab0b4017_JaffaCakes118.exe
Size

112KB
MD5

14ac9f4db8ef39677f190848ab0b4017
SHA1

34e24311a6db26ce4564fa3e4298be52013b3740
SHA256

ab7449501b5f3a4631f1535deb25e7ff2cb8893a40d2fc5f0b2689673282e827
SHA512

51c90a933c1be05d8b3cb3d3a9ba2dd04a6e8cd214113f985c91e3c428bb45f4f28f5ed05594371227dbda3cb42cdb0ef0f0133aa4ef838cc604946125a58191
SSDEEP

1536:jnkyLOc58BG0vIE4eBK/7MKBm/+9Dsc4fsfdqOe:jkykBG0QE4e0M1yD34Udde

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1492	832.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\""	832.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\""	832.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1492	832.exe
1492	832.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1492	2016	14ac9f4db8ef39677f190848ab0b4017_JaffaCakes118.exe	29
PID 2016 wrote to memory of 1492	2016	14ac9f4db8ef39677f190848ab0b4017_JaffaCakes118.exe	29
PID 2016 wrote to memory of 1492	2016	14ac9f4db8ef39677f190848ab0b4017_JaffaCakes118.exe	29
PID 2016 wrote to memory of 1492	2016	14ac9f4db8ef39677f190848ab0b4017_JaffaCakes118.exe	29
PID 1492 wrote to memory of 1140	1492	832.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1140
- C:\Users\Admin\AppData\Local\Temp\14ac9f4db8ef39677f190848ab0b4017_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\14ac9f4db8ef39677f190848ab0b4017_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\832.exe
    C:\Users\Admin\AppData\Local\Temp\832.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\832.exe

Filesize
38KB

MD5
e299c2508a3fd1c25e51be7480e019b6

SHA1
483e5867cc114962f3910218baed85b22f620ebc

SHA256
7cb204c2b96bc0b6ef683df83c872eff9570fcd29bb8f9f34183b5895b0b5221

SHA512
5ea6951aa226591c16fa737ddbb56cd1a4a4c215185220dc081d4469cd1ff6d9afd3afb39bb4fbc278522a275de03c7477da453079b0abe76b41f868407168c1

Download Submit
memory/1140-9-0x00000000025A0000-0x00000000025AE000-memory.dmp

Filesize
56KB

Download
memory/1492-12-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2016-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

Filesize
4KB

Download
memory/2016-1-0x0000000000C80000-0x0000000000CA2000-memory.dmp

Filesize
136KB

Download