03f1e7b87b2428b8e2b0ff414fe65959ca9ccebc520de36a6605ebd27565fd2d

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 19:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

17492fa4cb1c970e1aa970f7cc9a27e2_JaffaCakes118.exe
Size

176KB
MD5

17492fa4cb1c970e1aa970f7cc9a27e2
SHA1

de0633742c6123458fdcb06882c47d519274cf88
SHA256

03f1e7b87b2428b8e2b0ff414fe65959ca9ccebc520de36a6605ebd27565fd2d
SHA512

9600d273cfe75d16df5b9974b8f4e8d7bba1bfb2114c452d33108ed1b9f5ceda4e3977685d5e795751880c35f759eb9cf03034a0b63bcb88663da8a0e629cf2b
SSDEEP

3072:/jYUnjtoUnnTjgVY8Xu18/CMuL6d0rcDoh4W9Y:rYUFn3t8XXqMeQDk99

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2984	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe"	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe
2984	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2984	server.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2984	server.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2984	3020	17492fa4cb1c970e1aa970f7cc9a27e2_JaffaCakes118.exe	28
PID 3020 wrote to memory of 2984	3020	17492fa4cb1c970e1aa970f7cc9a27e2_JaffaCakes118.exe	28
PID 3020 wrote to memory of 2984	3020	17492fa4cb1c970e1aa970f7cc9a27e2_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\17492fa4cb1c970e1aa970f7cc9a27e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17492fa4cb1c970e1aa970f7cc9a27e2_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
157KB

MD5
b4ab21f431d33a804615dd9b007c56c6

SHA1
c88b678bc510985bff0db657e1d446d182b4cfe8

SHA256
059bac58a38566a78193d3d48c87a9310eb7cc69c8e1c74e7911cb98fdb2ebb9

SHA512
62d75e0fd116e779712d551a1de9eca3922fb4f23d2702ffab2d4d1744820dbbcbfec3aa6b682515eced51b8e3ee6344960395e04321be8582ff2203de93d377

Download Submit
memory/2984-12-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-14-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-20-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-8-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-9-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-10-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-19-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-11-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-18-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-17-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-15-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-16-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/3020-0-0x000007FEF5BEE000-0x000007FEF5BEF000-memory.dmp

Filesize
4KB

Download
memory/3020-13-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/3020-6-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/3020-7-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download