68dc368efa8927c196812266f95f11b061d8e846e075e25fb782e43644fe8965

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe
Size

13KB
MD5

15b25974cd9e4f1488de4de049cb9ee1
SHA1

50f7892486da237f7695695f83551f1ba9abfdd2
SHA256

68dc368efa8927c196812266f95f11b061d8e846e075e25fb782e43644fe8965
SHA512

d53cf01bec2abd2898dace5e0c2c55553d935eddf0a119953df26da6693fc40ccfe6c3e74d6d8f2445032bf497ec57f47e288cd9c09a661761cb96bb75d91ce4
SSDEEP

384:yi8HP3ODB8fFAXk2NzLeD2T8GKzV9JCinm3odyeJA+1:yia3OF8fFukweDW+V9tm4dyeW8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ksuserfy.dll = "{C4C78494-4D05-4614-8CF2-03F1C4276C8A}"	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2444	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2284	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ksuserfy.tmp	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ksuserfy.tmp	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ksuserfy.nls	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4C78494-4D05-4614-8CF2-03F1C4276C8A}	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4C78494-4D05-4614-8CF2-03F1C4276C8A}\InProcServer32	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4C78494-4D05-4614-8CF2-03F1C4276C8A}\InProcServer32\ = "C:\\Windows\\SysWow64\\ksuserfy.dll"	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4C78494-4D05-4614-8CF2-03F1C4276C8A}\InProcServer32\ThreadingModel = "Apartment"	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2284	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2284	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe
2284	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe
2284	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2444	2284	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2444	2284	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2444	2284	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2444	2284	15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15b25974cd9e4f1488de4de049cb9ee1_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\7ED1.tmp.bat
  2⤵
  - Deletes itself
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ED1.tmp.bat

Filesize
207B

MD5
94be9e3e8b6b8bc5b784dac99b1edcb4

SHA1
ef8e7b5657b2959d3e9854c5023261eb78b8255a

SHA256
4230feb27fe670aad4d270df89447a7b5d9cf61664b686ace5f78e6167cf51f1

SHA512
60af0aba3a640196454d6c0673dd9363e17e6e1f00a200f8b3b87e2c06c992addb9faff96402b15afb328cc072502670f9311f1ff3ba76b0e8fbbdcdb9f2d437

Download Submit
C:\Windows\SysWOW64\ksuserfy.tmp

Filesize
2.4MB

MD5
163f9151cde020dfeda6cd7827fa5994

SHA1
94a96179407f620720674d5252577a4e54adc6d1

SHA256
f470d26ab3474d869d84417ec531dafb3c1f9d119e310ccb51f6f9a2514b1aba

SHA512
590b00bd95b448a0176a351572c5d49494bc51da7370bcacf531bb766c9a1d51e287db2860f692232a096c08070f1b0d13c986db8f2d4bbe1395760995d1bc91

Download Submit
memory/2284-12-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2284-21-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download