Overview

overview

8

Static

static

3

220f5a59f1...18.exe

windows7-x64

8

220f5a59f1...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    220f5a59f14b31c2f8028a761f223d08_JaffaCakes118.exe

  • Size

    842KB

  • MD5

    220f5a59f14b31c2f8028a761f223d08

  • SHA1

    8d457b29c1c0b0e76096a3bc967328174009ec02

  • SHA256

    2884e5c022948d9471d32d60e4786b05551eaaa2aaa0432efeb52b0f89ac7f67

  • SHA512

    5937410b64d701f958a529a90e015fb242589c665db6fb543e478a454cd3f79a37cf1ffb32c248bdbf840dbea29eaf5bb3b8692846431fe770b5cacaf8983813

  • SSDEEP

    12288:qswwgWxMmoZ+XCGTtjmHDdqMe8q2MsSha79xIWAN9Ftf3Juh5Exnj:n7NMmoZVst6pqL2Wha7zANbtPohOj

Score
8/10
executionpersistence

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Drops file in System32 directory 6 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Runs net.exe
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\220f5a59f14b31c2f8028a761f223d08_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\220f5a59f14b31c2f8028a761f223d08_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c sc create WinServerView binpath= "C:\Windows\system32\sys_temtray.exe" type= share start= auto displayname= "systemtray" depend= RPCSS/Tcpip/IPSec
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3852
      • C:\Windows\SysWOW64\sc.exe
        sc create WinServerView binpath= "C:\Windows\system32\sys_temtray.exe" type= share start= auto displayname= "systemtray" depend= RPCSS/Tcpip/IPSec
        3⤵
        • Launches sc.exe
        PID:232
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\220f5a59f14b31c2f8028a761f223d08_JaffaCakes118.exe" "C:\Windows\system32\sys_temtray.exe"
      2⤵
      • Drops file in System32 directory
      PID:3348
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net start WinServerView
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\SysWOW64\net.exe
        net start WinServerView
        3⤵
        • Discovers systems in the same network
        • Suspicious use of WriteProcessMemory
        PID:1400
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 start WinServerView
          4⤵
            PID:1540
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\del.bat
        2⤵
          PID:3704

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \??\c:\del.bat
        Filesize

        212B

        MD5

        711c94b97baf6b9ccb970d7eeb378057

        SHA1

        b07df8cc8fdd8c4e75a6ad335849bbd35119e73e

        SHA256

        48006e44531e2a137f607fa320317b065e0f871dbd3e30f7626bae054e50a74c

        SHA512

        8ca3d1481874ccd6e40cd06bb582d8a7be4cf46cba0c229e2c3ec52583f521a815a54667ec4055893ea262db2e15e22fb9b4a32b06bd2ce6deb3735ecd0ea2dc

        Download Submit

      • memory/1872-0-0x0000000000640000-0x0000000000641000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1872-7-0x0000000000400000-0x0000000000475000-memory.dmp

        Filesize

        468KB

        Download