f3070509254ff629966d53a1d8a277311b17b7ded7219d25eb5932f5938cbd8a

Analysis

max time kernel
142s
max time network
145s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 08:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe
Size

116KB
MD5

2545c3041f9a3896f657eabb8a169d4f
SHA1

27827bfb4faaea07194988f57d2907aa520cd60f
SHA256

f3070509254ff629966d53a1d8a277311b17b7ded7219d25eb5932f5938cbd8a
SHA512

aef83cfdbeefec91a926b37c3d21e84e471b70bb9046d9b426d235d88cc607a4b25c55763873f6df6a5b3b91aa15a227ff29102aee3d4ac4f63afede53072e4a
SSDEEP

1536:ss+jhi0Ckg2QtJoIvM4EXf5uEp54yhFeK0JJmlhU8KKbDHZyRFOJMeiO0mUQA+jG:xim2QtJoaUFP4Jj8DX0RFOXdTm+Ot

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1836	netprotocol.exe
2584	netprotocol.exe

Loads dropped DLL 3 IoCs

pid	Process
3000	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe
3000	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe
1836	netprotocol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1784 set thread context of 3000	1784	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	28
PID 1836 set thread context of 2584	1836	netprotocol.exe	30

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 3000	1784	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	28
PID 1784 wrote to memory of 3000	1784	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	28
PID 1784 wrote to memory of 3000	1784	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	28
PID 1784 wrote to memory of 3000	1784	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	28
PID 1784 wrote to memory of 3000	1784	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	28
PID 1784 wrote to memory of 3000	1784	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1836	3000	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	29
PID 3000 wrote to memory of 1836	3000	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	29
PID 3000 wrote to memory of 1836	3000	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	29
PID 3000 wrote to memory of 1836	3000	2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe	29
PID 1836 wrote to memory of 2584	1836	netprotocol.exe	30
PID 1836 wrote to memory of 2584	1836	netprotocol.exe	30
PID 1836 wrote to memory of 2584	1836	netprotocol.exe	30
PID 1836 wrote to memory of 2584	1836	netprotocol.exe	30
PID 1836 wrote to memory of 2584	1836	netprotocol.exe	30
PID 1836 wrote to memory of 2584	1836	netprotocol.exe	30

C:\Users\Admin\AppData\Local\Temp\2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2545c3041f9a3896f657eabb8a169d4f_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Roaming\netprotocol.exe
    C:\Users\Admin\AppData\Roaming\netprotocol.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Users\Admin\AppData\Roaming\netprotocol.exe
      C:\Users\Admin\AppData\Roaming\netprotocol.exe
      4⤵
      Executes dropped EXE
      PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
116KB

MD5
000bb2fe73feae1a5919a88bd3c9d029

SHA1
7cb1d43003bf706bf7fbcfcdfaab7f4a384a68aa

SHA256
82776f45c4e1db930c8a4a10f5a46a040a69fbe476f2cd29987d0b05be1f4537

SHA512
28e61d50af793b172dd17626d76488e330848cde91942ad8689299411086238e26fab2c3c3e8ffe2b65fab247a4f82b8d9446e0bc9faca1061832b034f119334

Download Submit
memory/2584-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3000-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3000-6-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3000-4-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3000-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3000-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3000-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads