Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    06-07-2024 15:26

General

  • Target

    28a6432c33cf36b974ab395b61db88d5_JaffaCakes118.exe

  • Size

    60KB

  • MD5

    28a6432c33cf36b974ab395b61db88d5

  • SHA1

    9a0f1f66192683d310df6a494734e9f09b20f987

  • SHA256

    26cc574c1d5aeca652046465a84246bb35ce3dc1d6134771daa6ad54cadc4cea

  • SHA512

    0dd830dfe8e827e0941ca844dec605f51d6cebdb1a87a119031c68c5b2c40f2255597f4e271b505787555129ab0f5df81e82c4b1f4d72573db6218b9977f15a2

  • SSDEEP

    768:StXZVSUJnr4fpTeelDftr9HFjLtc1dMW2GhJLWOCEi/hqZtApmw63A39uPyXDHhz:oZV9JIn1vjGs+h9rwqZucl8myT

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 7 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28a6432c33cf36b974ab395b61db88d5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\28a6432c33cf36b974ab395b61db88d5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\SysWOW64\_tdiserv_\svchost.exe
      C:\Windows\system32\_tdiserv_\svchost.exe C:\Users\Admin\AppData\Local\Temp\28a6432c33cf36b974ab395b61db88d5_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      PID:2392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\_tdiserv_\Config.dat

    Filesize

    28B

    MD5

    993234bb1d88b97ac549ddb0e8c8c9b5

    SHA1

    d93e3e275a07e9c9410dd1b6459d5017837af504

    SHA256

    ef90338b1e6e19d5e7c20aa49e5b36ef7ea951d592b7b8ddc6033819b43c0422

    SHA512

    8fbd3e258747dbae21dc99ee6d110af37f7b0b8b2097748a2ac9f13593a5473466d77a6be163f6e7a30012f1657be04c04f6dce8ec1087a4279680e813bdb35c

  • \Windows\SysWOW64\_tdiserv_\Reckey.dll

    Filesize

    24KB

    MD5

    e65594754865ac028439e50705c4c16d

    SHA1

    9bc8f1f7b192f76b3919ec254230d54adee99a97

    SHA256

    9c081dd8648cb16c70fa2cfff0156f5ac45a022f24a31bb1585e8a339f796afd

    SHA512

    597d429a2dcde6eddfe46752cd1491f5df6c3403f4dbd39841202c37103941d52cce4afc699476400bfd52697665f1d723fce1b06c14651e800d3ea0e63a1ad0

  • \Windows\SysWOW64\_tdiserv_\svchost.exe

    Filesize

    60KB

    MD5

    39b65cf0716fb5231804b691d0a5971f

    SHA1

    1ba55fc98472d37fc1041123752efd6b90833659

    SHA256

    b28c281bcb9576749160427f493acd6e1fb5cd71a40857caa589d82cea186da4

    SHA512

    0632ce43bc1173664c707c695a0506eee1f8aaecfdf744c11c3a276fa9570bccc7267f6c1f58e86500900750716fef581e9be3ff75f4431744d462f87917db37