1a553e660a6f8f287ebd87c312518a1101d2e659b3e1938c58ce8e1030b8561f

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 00:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24056d080b7169658f1321afcac4f34e_JaffaCakes118.exe
Size

184KB
MD5

24056d080b7169658f1321afcac4f34e
SHA1

12cbfc2bcea145ce8522082d648d24026ecf82a0
SHA256

1a553e660a6f8f287ebd87c312518a1101d2e659b3e1938c58ce8e1030b8561f
SHA512

678c98c87de18ea232a6ec2ba8f394639477e5309ccff86ccc3325b4a7ecbe39e8b3f5e2d49ce795568f6c7bb926360c997074e8a22edfccfdf16ebf4426d359
SSDEEP

3072:gZMB9JdoHmoeyced9wh0qDUOv31VI07ialpqxVyxEiFX:+MkHmotf7fqD5w0GWfx

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1644	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2616	fxewrz.exe

Loads dropped DLL 2 IoCs

pid	Process
1644	cmd.exe
1644	cmd.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	fxewrz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\dfxew\\command	fxewrz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	fxewrz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\dfxew	fxewrz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\dfxew	fxewrz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	fxewrz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	fxewrz.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2220	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 1644	992	24056d080b7169658f1321afcac4f34e_JaffaCakes118.exe	28
PID 992 wrote to memory of 1644	992	24056d080b7169658f1321afcac4f34e_JaffaCakes118.exe	28
PID 992 wrote to memory of 1644	992	24056d080b7169658f1321afcac4f34e_JaffaCakes118.exe	28
PID 992 wrote to memory of 1644	992	24056d080b7169658f1321afcac4f34e_JaffaCakes118.exe	28
PID 1644 wrote to memory of 2616	1644	cmd.exe	30
PID 1644 wrote to memory of 2616	1644	cmd.exe	30
PID 1644 wrote to memory of 2616	1644	cmd.exe	30
PID 1644 wrote to memory of 2616	1644	cmd.exe	30
PID 1644 wrote to memory of 2220	1644	cmd.exe	31
PID 1644 wrote to memory of 2220	1644	cmd.exe	31
PID 1644 wrote to memory of 2220	1644	cmd.exe	31
PID 1644 wrote to memory of 2220	1644	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\24056d080b7169658f1321afcac4f34e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24056d080b7169658f1321afcac4f34e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ujsafac.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\fxewrz.exe
    "C:\Users\Admin\AppData\Local\Temp\fxewrz.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2616
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fglolr.bat

Filesize
170B

MD5
d95ba66158879a3163d2abe81c5205f4

SHA1
4155aeb1c46fac67b004171929e9aad3afc55768

SHA256
03893aa9a6cd4e87783abee76f44bb83b9c585759eccaa81a4fc43fde994efcb

SHA512
a55a59d56280613bf3d99f5c9b7fd27e9d672523981e538f8f714b4d06b3bedb64fa12b11e0ef60aa006932b217e96b1c83091b224f1d9081b02f60b7e21af7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujsafac.bat

Filesize
124B

MD5
3b1b44f627fcdca79563117eea139b14

SHA1
8c620306e6e7edae1a38c496639ce0a62e40f86f

SHA256
8edf21669e117014f77ab83b8d9f0d2378ce29833873833094d4c2ccb00fea6f

SHA512
05ff144ae60cb56a0e83eaa293372eec537a0f9fa43897f4f7fcadd4f608f02aa64dd4e2a2ee843dcc62644441b84e6ebe2ac8ecddb735f0a59b3aa619d8ff28

Download Submit
\Users\Admin\AppData\Local\Temp\fxewrz.exe

Filesize
144KB

MD5
9cf9d9f950e6eef40c483566bb07987d

SHA1
20149ff37fc2a06f55d4ab7d49c114cca8328ba6

SHA256
a372fdc4b5b00bf031cfbaecefa439fe8f3c9992c15f9e0cceed3055f73ff9df

SHA512
2689ea24550c749ceaf3a5422921d397959195281846dccb356ae2ae13bcb98abef289e51360065252503cc20b6e12b14016122ead7d911a7dc9a048d834f77e

Download Submit