465df717a695839c99130b55a93d42a45c1c9102d9c31d6268635e188246c11c

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe
Size

356KB
MD5

1ac1e3a0c3a89b9b68edd643cbd31c84
SHA1

1cf6e58fdbe469fd407c609b1d8fb937dc19beb7
SHA256

465df717a695839c99130b55a93d42a45c1c9102d9c31d6268635e188246c11c
SHA512

55132fe4f5c2461a7e23917553d41ba43e999506109aaab2e9633f3b843f8b21a320354262a24a2cb47c99038a36863d26c45e6d8382d5fca625a4f7027f18e5
SSDEEP

6144:kYfr7UVj6F1KvDTFISAW1RJd0WvDQFY3/T9tofBTaEmHjKZHSwFj+jo:VsW3KvDTDf0SMFYPZufBTzIjy5+jo

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1656	aaa.exe

Loads dropped DLL 3 IoCs

pid	Process
2424	1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe
2424	1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe
1656	aaa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1656	aaa.exe
1656	aaa.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1656	2424	1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe	28
PID 2424 wrote to memory of 1656	2424	1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe	28
PID 2424 wrote to memory of 1656	2424	1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe	28
PID 2424 wrote to memory of 1656	2424	1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe	28
PID 2424 wrote to memory of 1656	2424	1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe	28
PID 2424 wrote to memory of 1656	2424	1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe	28
PID 2424 wrote to memory of 1656	2424	1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe	28
PID 1656 wrote to memory of 1192	1656	aaa.exe	21
PID 1656 wrote to memory of 1192	1656	aaa.exe	21
PID 1656 wrote to memory of 1192	1656	aaa.exe	21
PID 1656 wrote to memory of 1192	1656	aaa.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1ac1e3a0c3a89b9b68edd643cbd31c84_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aaa.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aaa.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\aaa.exe

Filesize
31KB

MD5
77e68babe788ba43cd5183f018a475b9

SHA1
62ddae924e02c6f58b48afd4537b89fb4ef23927

SHA256
87d409caf5d3f8981a4ae7e927525b70a7d97d168cba16bdf38baaf76b6e24f8

SHA512
4336f228422768d954d1391cf560e0ff1156b71decff7ed2501690fa8dc4ca4d32d7c2bbe4c4050d6ddcc9bed55895a0aa1bc0a430003a1a4743b53866ed9fb3

Download Submit
memory/1192-25-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1192-21-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1656-20-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1656-34-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1656-24-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1656-19-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2424-4-0x0000000001000000-0x0000000001059000-memory.dmp

Filesize
356KB

Download
memory/2424-15-0x0000000000900000-0x0000000000909000-memory.dmp

Filesize
36KB

Download
memory/2424-13-0x0000000000900000-0x0000000000909000-memory.dmp

Filesize
36KB

Download
memory/2424-3-0x0000000001000000-0x0000000001059000-memory.dmp

Filesize
356KB

Download
memory/2424-2-0x0000000001000000-0x0000000001059000-memory.dmp

Filesize
356KB

Download
memory/2424-5-0x0000000001000000-0x0000000001059000-memory.dmp

Filesize
356KB

Download
memory/2424-0-0x0000000001001000-0x0000000001003000-memory.dmp

Filesize
8KB

Download
memory/2424-35-0x0000000001000000-0x0000000001059000-memory.dmp

Filesize
356KB

Download