cb2dd254c660e12623ad7df5154945e3f7aefdba062288e0caad5bfa26481552

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22072f995ce54648c2eac2113205914a_JaffaCakes118.exe
Size

403KB
MD5

22072f995ce54648c2eac2113205914a
SHA1

697290d61f5cae834c7e825c42f91775dbdd555f
SHA256

cb2dd254c660e12623ad7df5154945e3f7aefdba062288e0caad5bfa26481552
SHA512

bcf49f84da9ce37ca76729be280080e6abdc7d4f8d7dd207cfc8bc9340ca6c49315aec7f3c43d4b67c900584fdf0e787eab869138bcc27f2ccbe0c831d31854f
SSDEEP

6144:Pj2rWYaSbUP6Fim96VkyV0iN7D8Q06Kx22h+oly66O/LpFJzOzwZBH:Pj8vaSbhAFVZN7D8Qx52hd5/LpFRVH

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2228	jB01813NhNgP01813.exe

Executes dropped EXE 1 IoCs

pid	Process
2228	jB01813NhNgP01813.exe

Loads dropped DLL 2 IoCs

pid	Process
2192	22072f995ce54648c2eac2113205914a_JaffaCakes118.exe
2192	22072f995ce54648c2eac2113205914a_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2192-6-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2192-18-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2228-20-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2228-29-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2228-38-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jB01813NhNgP01813 = "C:\\ProgramData\\jB01813NhNgP01813\\jB01813NhNgP01813.exe"	jB01813NhNgP01813.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	jB01813NhNgP01813.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2192	22072f995ce54648c2eac2113205914a_JaffaCakes118.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	22072f995ce54648c2eac2113205914a_JaffaCakes118.exe
Token: SeDebugPrivilege	2228	jB01813NhNgP01813.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2228	jB01813NhNgP01813.exe
2228	jB01813NhNgP01813.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2228	2192	22072f995ce54648c2eac2113205914a_JaffaCakes118.exe	28
PID 2192 wrote to memory of 2228	2192	22072f995ce54648c2eac2113205914a_JaffaCakes118.exe	28
PID 2192 wrote to memory of 2228	2192	22072f995ce54648c2eac2113205914a_JaffaCakes118.exe	28
PID 2192 wrote to memory of 2228	2192	22072f995ce54648c2eac2113205914a_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\22072f995ce54648c2eac2113205914a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\22072f995ce54648c2eac2113205914a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\ProgramData\jB01813NhNgP01813\jB01813NhNgP01813.exe
  "C:\ProgramData\jB01813NhNgP01813\jB01813NhNgP01813.exe" "C:\Users\Admin\AppData\Local\Temp\22072f995ce54648c2eac2113205914a_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jB01813NhNgP01813\jB01813NhNgP01813

Filesize
192B

MD5
05c647e7d20b69742f154402e6830038

SHA1
7264f2f3aa730e52e872ed7fd5bf319b8251ad3a

SHA256
1537601c9939d4e5f4c766303d147fcda9e1d2b71befbd21e1c511d79d949bdd

SHA512
500f31abaa3f9e790284d5261ed550734fa18b5207f43b3cd0c695b6ae8f74616994de63df4369aa1b0134e1a9e6a177e5e3505dcebb26b5bbab46d1f2f43997

Download Submit
\ProgramData\jB01813NhNgP01813\jB01813NhNgP01813.exe

Filesize
403KB

MD5
190c2a61f4caccc2d07aafc4e3aec11d

SHA1
c2a6defa17d43d94e25e91e7dd86afa14476fbdc

SHA256
37312ff31f72ae040ae99c5ebae0876a1fc5c850fe73fe5bba8e84d2dbfe308c

SHA512
f967dbe6d16294e1d25bfac7379021bdb1ff6dd33570b6fece5e83ac6cee82b2e3a4f545e0129d6201ddd86afb21cf3372622a96b1668442cf7346b32e80a852

Download Submit
memory/2192-0-0x0000000000330000-0x0000000000333000-memory.dmp

Filesize
12KB

Download
memory/2192-6-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2192-18-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2228-19-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2228-20-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2228-29-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2228-38-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download