5a149525bb861d9640082adb4e845e384a909b58737e1a7becb0048743777d0e

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe
Size

192KB
MD5

1a444756aac5041a41cc00e6819153a6
SHA1

5e177a7ebaa2cc983a2bb0951712916fd0985e21
SHA256

5a149525bb861d9640082adb4e845e384a909b58737e1a7becb0048743777d0e
SHA512

46762924d836066ebdbf62a7787acc730c0afba99b12d07b086303ba93379d200619814ae39437aa30f15bf14b29098e051707498afbfbd30c9e88ef7637219d
SSDEEP

3072:yPKJnMKJfOydUlIyVcsj5RXQhw0AE6TsuZfs:yiJsy+eyu+XSAnwuZk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2600	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2696	psyvdg.exe

Loads dropped DLL 2 IoCs

pid	Process
2600	cmd.exe
2600	cmd.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\apsyv	psyvdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\apsyv	psyvdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	psyvdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	psyvdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	psyvdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\apsyv\\command	psyvdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	psyvdg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2624	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2600	2752	1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe	28
PID 2752 wrote to memory of 2600	2752	1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe	28
PID 2752 wrote to memory of 2600	2752	1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe	28
PID 2752 wrote to memory of 2600	2752	1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe	28
PID 2600 wrote to memory of 2696	2600	cmd.exe	30
PID 2600 wrote to memory of 2696	2600	cmd.exe	30
PID 2600 wrote to memory of 2696	2600	cmd.exe	30
PID 2600 wrote to memory of 2696	2600	cmd.exe	30
PID 2600 wrote to memory of 2624	2600	cmd.exe	31
PID 2600 wrote to memory of 2624	2600	cmd.exe	31
PID 2600 wrote to memory of 2624	2600	cmd.exe	31
PID 2600 wrote to memory of 2624	2600	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a444756aac5041a41cc00e6819153a6_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\lawcjle.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\psyvdg.exe
    "C:\Users\Admin\AppData\Local\Temp\psyvdg.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2696
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\btqjse.bat

Filesize
170B

MD5
120fdad54bbb59bb1316e7d5b12951d3

SHA1
18318458dc4365bae192441d8bc08c810dbd0c03

SHA256
0d0f31ce0796904b6125511d11c2f54f27070d6b42efde55d97392a65d79b906

SHA512
7a69cf7607c369c5fad1fca5c6e89a297a34596ffa04142884165fe1fce2271c2c373828caf0d44f62b60e7bd630f823ce2222300a58cf2ef769210f8e4bae60

Download Submit
C:\Users\Admin\AppData\Local\Temp\lawcjle.bat

Filesize
124B

MD5
220ff4a23fb96a943ece50e0c24aa9e0

SHA1
e8147a990e812fb5f8bd3718115a64098d8df084

SHA256
79341c7a82c0f018bf300fbb27fd9aa4d67b2cf68d40baf325f6da1e7136a61e

SHA512
69e11fcf7ba4959faf140911c18a90b932b1c624c1eeb636b3be62889fb30d44e8e646ac0345d0069064d657b87b27bfff5ce1a2e7b3e8f5fd1f83e8eb6851a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\psyvdg.exe

Filesize
144KB

MD5
6253da554030111bdb8c9c1e119e260d

SHA1
13d1688cb851d0e3c96ab41b1810abdba905ba6d

SHA256
65a576a33a282ff755a8e3f95f2f808b8fdb0cdf551772a7a4229babbef8a278

SHA512
0ac71727ce7253c2ae55e6daf8b9c7366e530a7a21c642b71b0b87c6339f89f0810db34a894b4f2813400017a38e5bc1d01a6da8c04b552d06d1148c822ee18b

Download Submit