375ff1105cd20b683f441014ba8988b1e15327c6bf3457a971e3629c6afe022f

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
Size

13KB
MD5

1b2f8831502828b78c1b695d74c67b38
SHA1

00285aeb117e125ef5cf1bdb240b758f603f037e
SHA256

375ff1105cd20b683f441014ba8988b1e15327c6bf3457a971e3629c6afe022f
SHA512

d7b22f7997739b9edf19f46bcc74f93899413748200276b0fe07320c3d1500210dcbae4f46bd44f9b11054814428c71312430bad3b8c8c50cdcaef20a1e0a4d8
SSDEEP

384:emWDlkSA2Ji8MJpHX7P8dE00zK2G7rfLD4GEFq/:emQfKpHuEZzKZTD4GEF0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\adsntzt.dll = "{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}"	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2644	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2180	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\adsntzt.tmp	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\adsntzt.tmp	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\adsntzt.nls	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}\InProcServer32\ = "C:\\Windows\\SysWow64\\adsntzt.dll"	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}\InProcServer32\ThreadingModel = "Apartment"	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}\InProcServer32	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2180	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2180	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
2180	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
2180	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2644	2180	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe	28
PID 2180 wrote to memory of 2644	2180	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe	28
PID 2180 wrote to memory of 2644	2180	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe	28
PID 2180 wrote to memory of 2644	2180	1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b2f8831502828b78c1b695d74c67b38_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\A7E3.tmp.bat
  2⤵
  - Deletes itself
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A7E3.tmp.bat

Filesize
207B

MD5
01211861e40903ef04d795276c2c743a

SHA1
8957daa799946083d071d4dec4fa5786c4c17ec2

SHA256
34615175966b19796156173fcae218affaeb5648a93e05498adda6d0710c45b2

SHA512
f6b3d15d9f7c05f974ed3200fc5d0734cf908ce5c5a52446342eceab6826c75314233166632627d5f1733fcbf349d23d03db1a57eb41dfdfc6fa937d2340513f

Download Submit
C:\Windows\SysWOW64\adsntzt.tmp

Filesize
646KB

MD5
1c8b655b679030a691d8a354b86b222f

SHA1
dcc0d4e35115f35414fba5aef6cdd015a3d7323f

SHA256
6d0b22a3b38457bc2f8a2b39da8c2726fc611b772db606f0e57b68a6feb7dafc

SHA512
167e1277eeede9eb7c73e6d5ab9259855527d5e8e3c78970bb6ce39cc120d928fe71a8c4abf9149d639e08afb59bad5f1947c709a9a473541031b54f5bace073

Download Submit
memory/2180-12-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download
memory/2180-21-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download