Overview

overview

8

Static

static

3

220f5a59f1...18.exe

windows7-x64

8

220f5a59f1...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    03/07/2024, 10:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    220f5a59f14b31c2f8028a761f223d08_JaffaCakes118.exe

  • Size

    842KB

  • MD5

    220f5a59f14b31c2f8028a761f223d08

  • SHA1

    8d457b29c1c0b0e76096a3bc967328174009ec02

  • SHA256

    2884e5c022948d9471d32d60e4786b05551eaaa2aaa0432efeb52b0f89ac7f67

  • SHA512

    5937410b64d701f958a529a90e015fb242589c665db6fb543e478a454cd3f79a37cf1ffb32c248bdbf840dbea29eaf5bb3b8692846431fe770b5cacaf8983813

  • SSDEEP

    12288:qswwgWxMmoZ+XCGTtjmHDdqMe8q2MsSha79xIWAN9Ftf3Juh5Exnj:n7NMmoZVst6pqL2Wha7zANbtPohOj

Score
8/10
executionpersistence

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Runs net.exe
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\220f5a59f14b31c2f8028a761f223d08_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\220f5a59f14b31c2f8028a761f223d08_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c sc create WinServerView binpath= "C:\Windows\system32\sys_temtray.exe" type= share start= auto displayname= "systemtray" depend= RPCSS/Tcpip/IPSec
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\SysWOW64\sc.exe
        sc create WinServerView binpath= "C:\Windows\system32\sys_temtray.exe" type= share start= auto displayname= "systemtray" depend= RPCSS/Tcpip/IPSec
        3⤵
        • Launches sc.exe
        PID:2660
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\220f5a59f14b31c2f8028a761f223d08_JaffaCakes118.exe" "C:\Windows\system32\sys_temtray.exe"
      2⤵
      • Drops file in System32 directory
      PID:2304
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net start WinServerView
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\SysWOW64\net.exe
        net start WinServerView
        3⤵
        • Discovers systems in the same network
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 start WinServerView
          4⤵
            PID:2840
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\del.bat
        2⤵
        • Deletes itself
        PID:2696

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\del.bat
            Filesize

            212B

            MD5

            711c94b97baf6b9ccb970d7eeb378057

            SHA1

            b07df8cc8fdd8c4e75a6ad335849bbd35119e73e

            SHA256

            48006e44531e2a137f607fa320317b065e0f871dbd3e30f7626bae054e50a74c

            SHA512

            8ca3d1481874ccd6e40cd06bb582d8a7be4cf46cba0c229e2c3ec52583f521a815a54667ec4055893ea262db2e15e22fb9b4a32b06bd2ce6deb3735ecd0ea2dc

            Download Submit

          • memory/2484-2-0x0000000000220000-0x0000000000221000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2484-12-0x0000000000400000-0x0000000000475000-memory.dmp

            Filesize

            468KB

            Download