6eb12481f267482543fdb2f9b759b8035631930e3e90d1626c95fbff5669373a

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

172960eb458db73204724b8b2fb3ce31_JaffaCakes118.exe
Size

193KB
MD5

172960eb458db73204724b8b2fb3ce31
SHA1

8e2881f4b11786fa7750c42074434ba7f7d5df86
SHA256

6eb12481f267482543fdb2f9b759b8035631930e3e90d1626c95fbff5669373a
SHA512

39fb686fa649f5f6f100a256aad4584f8cb1a5950901b9972e4ce850ab21c767423def3fb528d1bf4682d396c72f41894c3dbe43c36f20703d03941c28d4f62e
SSDEEP

3072:f/vGHqJLx6B/CRLdhH+5GWp1icKAArDZz4N9GhbkrNEkBNJAQ8lwzhAFPp//gO:HWqA/eR2p0yN90QEHpHgO

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2132	server.exe

Loads dropped DLL 2 IoCs

pid	Process
3060	172960eb458db73204724b8b2fb3ce31_JaffaCakes118.exe
3060	172960eb458db73204724b8b2fb3ce31_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	172960eb458db73204724b8b2fb3ce31_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2132	server.exe
2132	server.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2132	3060	172960eb458db73204724b8b2fb3ce31_JaffaCakes118.exe	28
PID 3060 wrote to memory of 2132	3060	172960eb458db73204724b8b2fb3ce31_JaffaCakes118.exe	28
PID 3060 wrote to memory of 2132	3060	172960eb458db73204724b8b2fb3ce31_JaffaCakes118.exe	28
PID 3060 wrote to memory of 2132	3060	172960eb458db73204724b8b2fb3ce31_JaffaCakes118.exe	28
PID 2132 wrote to memory of 1380	2132	server.exe	21
PID 2132 wrote to memory of 1380	2132	server.exe	21
PID 2132 wrote to memory of 1380	2132	server.exe	21
PID 2132 wrote to memory of 1380	2132	server.exe	21
PID 2132 wrote to memory of 1380	2132	server.exe	21
PID 2132 wrote to memory of 1380	2132	server.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\172960eb458db73204724b8b2fb3ce31_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\172960eb458db73204724b8b2fb3ce31_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
28KB

MD5
c2e7287a680ed59525acadc7ba991736

SHA1
751d1c704d5aa9210293cf869e52308a9c34fe3c

SHA256
ec0bef04d4aa2fb3cd8a75824a13c7b90bf4928405501a590b73d0cccc5911d2

SHA512
0012864cadf8c674d8f1c7a2e5c736c5a1473037dead88bd561853dc192d291ac19fad7a776001fdf39abcbafb9d125e72c83304d280113c9810433b6d270167

Download Submit
memory/1380-12-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1380-19-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/2132-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2132-15-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/3060-4-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download