fa4e3171b5ec1b8784fd2dc2ac6db10ef0999c64cf54f73828cbb301d176a667

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe
Size

4.9MB
MD5

1ab4f8febbd02d09fc8f4a15370a68e9
SHA1

da4709929705d474c205a9b259944089c48b9c00
SHA256

fa4e3171b5ec1b8784fd2dc2ac6db10ef0999c64cf54f73828cbb301d176a667
SHA512

c6e537fef52e68a7f23715b7895abc5cf5c29803c9d6ac99a16a2df1c8e14bfb640248022acc874e9808df90eafe6bd4587eb9a9d9ba9fbba73b193d60834ed5
SSDEEP

49152:UvhY8evljoiMbGUjffbsyuaQslzEvcTunny:Uvm8evlsiMtjA9kvTYy

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2548	explorer.exe
2044	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2620	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe
2548	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1656 set thread context of 2620	1656	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe	28
PID 2548 set thread context of 2044	2548	explorer.exe	32

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2620	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe
2620	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1656	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe
2548	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2620	1656	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe	28
PID 1656 wrote to memory of 2620	1656	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe	28
PID 1656 wrote to memory of 2620	1656	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe	28
PID 1656 wrote to memory of 2620	1656	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe	28
PID 1656 wrote to memory of 2620	1656	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe	28
PID 1656 wrote to memory of 2620	1656	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe	28
PID 1656 wrote to memory of 2620	1656	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe	28
PID 1656 wrote to memory of 2620	1656	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe	28
PID 1656 wrote to memory of 2620	1656	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe	28
PID 1656 wrote to memory of 2620	1656	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe	28
PID 2620 wrote to memory of 2548	2620	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe	29
PID 2620 wrote to memory of 2548	2620	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe	29
PID 2620 wrote to memory of 2548	2620	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe	29
PID 2620 wrote to memory of 2548	2620	1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2044	2548	explorer.exe	32
PID 2548 wrote to memory of 2044	2548	explorer.exe	32
PID 2548 wrote to memory of 2044	2548	explorer.exe	32
PID 2548 wrote to memory of 2044	2548	explorer.exe	32
PID 2548 wrote to memory of 2044	2548	explorer.exe	32
PID 2548 wrote to memory of 2044	2548	explorer.exe	32
PID 2548 wrote to memory of 2044	2548	explorer.exe	32
PID 2548 wrote to memory of 2044	2548	explorer.exe	32
PID 2548 wrote to memory of 2044	2548	explorer.exe	32
PID 2548 wrote to memory of 2044	2548	explorer.exe	32
PID 2044 wrote to memory of 840	2044	explorer.exe	33
PID 2044 wrote to memory of 840	2044	explorer.exe	33
PID 2044 wrote to memory of 840	2044	explorer.exe	33
PID 2044 wrote to memory of 840	2044	explorer.exe	33

C:\Users\Admin\AppData\Local\Temp\1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1ab4f8febbd02d09fc8f4a15370a68e9_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\explorer.exe" 1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\explorer.exe" 1
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\7931.bat"
        5⤵
        
        PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7931.bat

Filesize
182B

MD5
ea309db72266503992a4a065da3d8c80

SHA1
07b64438d4ec7100181369a058e358e052e90304

SHA256
37f7a1e45f04dabba064f495c3902a9b389685d63b837644ba214afbdba7d5b7

SHA512
46f98944508a19b313693c1806fbc6be0e0def64527a49b37de388fd733f2fb4f4dddbb0ce91a007d2b130903eb3411f386a652ecf677b9cc11e1afec60e7fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~15F.tmp

Filesize
16B

MD5
42a4909edc6f4dcc6ed28ea398c8b0f1

SHA1
8e5b02f2fb057ff3ca5ec8b0d887709cdeb30161

SHA256
1d303bb90d3f2346ff4ac1db0dca69b8fa9885144d4175d43bcf22705a6412a3

SHA512
a1b4c98b2c401906b7830dd623b80b26673f3d98f57c744dc1b58351860a59f8d93199cdb6e441d46fb2e71419fd7e9922b1a9b55a6150934ce49c25d1c9564b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~198.tmp

Filesize
16B

MD5
c70196474bdc96ef24eb1901e8c5e123

SHA1
8a548294b09bc2c58ecadf1e9290cd7783ff1261

SHA256
32d81f989cb2033aebd3e13de47e57100fb19ea676ca181092ceb8eb9bcebaf7

SHA512
957a853f5bfb1f37c9cdd1fa0a2ce0ccb3797ed17dc9b86a855602ad8ff2ab51d616c884d89742e0b01f193af544976cacd988329bfe88d76c2d7199bde0b6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1D2.tmp

Filesize
16B

MD5
de735788131de390cbe7bde1b87c68dd

SHA1
eba407850bb220a0ac5a11de469fc185bcd3a913

SHA256
364aafe0415705b5856ea1aec84fdc96556a06e1166e1795850ce3aa84b754d7

SHA512
c291b1c699ff136793d92f2b5eabd7341b099858f9f3ee104ec71eda6534e78da1ad0cb4d2a8d702377af1274adc71a386b89546f88e6c36b867a25c2e378f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1EF.tmp

Filesize
16B

MD5
6c98c85fa54a022bfa48d69a204e5339

SHA1
b2582453b982a148457f1c0b5f1ad7714ba0120f

SHA256
aa35619a4d61c7b61cadcc8d098dd4556fe15dffb9061b9a77cb77ede6e66e82

SHA512
bc01e63318628755d5f5435701278dd47840999b13014ca02ba9fb66130ea60546d47cf1e060b946b5a0330118320d6b38661fe0802f6db97234797b10d88820

Download Submit
C:\Users\Admin\AppData\Local\Temp\~220.tmp

Filesize
16B

MD5
0f083551036ef64cd8b33dbf8d662d27

SHA1
6c147c7dead26714416561d5c7d7ea48e5e676de

SHA256
86e6ee50db3cb6ff96ae6d826112580cfc763cd249139ca6529847092360ea87

SHA512
85aecec6ff691c9999a84c98e0d1c474225ce1af66b3afea6db658ba8f23d00f00657c06fd21d446aa1df14d085affcc59142fbe9f87f60d2bc205f30a19672d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~88.tmp

Filesize
16B

MD5
12cc29f3c992af0883a345bab9516616

SHA1
4055d677168ffc3b2fc559d589564cc3add7389e

SHA256
55704b780946f9c8947b878caa4f277fe8849842a4919e6cfde5a3014e6dd7ad

SHA512
f433814990033f1c2a0376b55225eeb59f5c48fc5181d37ba6385307b997ad6fffcb976766f1f365c62932713a201a3ca685b6f039e4e9a16278fa048551840d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~95.tmp

Filesize
16B

MD5
3c8e63bd16d5268336d5cdea86526132

SHA1
3497915eae642a7f1e58e1eeb23c54a50dbb7c3a

SHA256
667f9654312aa4e4de5d8b268cedebaf931d0240e125f5cdb46a4f62e4bf66e5

SHA512
e48c39d11c4b750d6e0cbdba23a945ecc1e41bd343568880942059f2de2e2081e87cb6304a53bdffd617db36a9344d97789626bf079a94a78d27714ea25acd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~E5.tmp

Filesize
16B

MD5
b23cda13925e7eb235753b2972340936

SHA1
3390a2888d58b7367b4a3b95ab41643415957348

SHA256
a5afdc79def405338b89261aee60ce75d3f33780aa6cd2dbeafa553ccb72cd18

SHA512
365ea30e948b7a1f9cd4f881e2da1135b2b8e83eb49a6e48d2a867f913ab93797f6d61caa955e4a6fe9a54a06e65da78147821f5a8a513e96d8a5a00745dacb8

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
4.9MB

MD5
1ab4f8febbd02d09fc8f4a15370a68e9

SHA1
da4709929705d474c205a9b259944089c48b9c00

SHA256
fa4e3171b5ec1b8784fd2dc2ac6db10ef0999c64cf54f73828cbb301d176a667

SHA512
c6e537fef52e68a7f23715b7895abc5cf5c29803c9d6ac99a16a2df1c8e14bfb640248022acc874e9808df90eafe6bd4587eb9a9d9ba9fbba73b193d60834ed5

Download Submit
memory/2044-130-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2044-133-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2044-152-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2044-144-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2044-142-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2044-141-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2044-137-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2044-131-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2620-44-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2620-38-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2620-41-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2620-32-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2620-139-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2620-56-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2620-47-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2620-50-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2620-35-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2620-53-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download