6590b64fb6af5805c077d565fbf033bb2c16e9c6a9b60f4eb4b9cb0c497b067b

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe
Size

10KB
MD5

18f47e0c7573514b97a4126b014a4bff
SHA1

ce2b0efe6e028250fb4f1cfd44cb54c8bb2dbbae
SHA256

6590b64fb6af5805c077d565fbf033bb2c16e9c6a9b60f4eb4b9cb0c497b067b
SHA512

ce50d82e087c0d5d7988bead4d04669179b2f37ec371c38bd37508f8475e3277aa60320b57b1064e6fa08a252479c63082dee86f41c165f718607a696ad04eb8
SSDEEP

192:Kd+AcKf9ONc7JDB/6Y8UFDB0tYLKecS1EeluhrPOgfKKI:GJfMNc1pNhB0iLKeqelwzNKKI

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1792	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tlsa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlso.exe"	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2820	1792	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1792	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe
1792	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe
1792	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe
1792	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1196	1792	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe	21
PID 1792 wrote to memory of 2820	1792	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe	28
PID 1792 wrote to memory of 2820	1792	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe	28
PID 1792 wrote to memory of 2820	1792	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe	28
PID 1792 wrote to memory of 2820	1792	18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\18f47e0c7573514b97a4126b014a4bff_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 208
    3⤵
    - Program crash
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\tlso0.dll

Filesize
9KB

MD5
9c5fc1eac585d9e49f87870a1251c3ad

SHA1
104aa1025352df10d3f8b4e9550af568ace3f311

SHA256
19e29a4e4580080df2d1d89486c8e1a0ae63c9fafd354dfda3c68d460728c373

SHA512
48a61102f954462da9b0de6ad7d506c146de497cde21fec74963e2bb6110bc9d215e812989efcc0cf824e84e1db23e38b0f9b8cf30a8d12c9c8c9b94ff9db42e

Download Submit
memory/1196-2-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1792-5-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1792-6-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download