41ae739b6df62b68c2bb366a580b463959450c66ede03af13cd26e82bd305700

Analysis

max time kernel
15s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e06394b5810111e28b444d3a6cc2ebc_JaffaCakes118.exe
Size

35KB
MD5

2e06394b5810111e28b444d3a6cc2ebc
SHA1

1a915ed60f3c3006140033692b3bf02b20ca7bfd
SHA256

41ae739b6df62b68c2bb366a580b463959450c66ede03af13cd26e82bd305700
SHA512

7ccb4a098a94d3049523e7fca4f6b72cbd227c47b31da9bcaff91676a86f90136f5d2d87cc40ba61c2c7ae0790500c1177ef507255fbc2b89b89cb54fe3d74e5
SSDEEP

768:h9zAYH5l6XlSm7FoCHGu15RVhzC0vMol/sGm0:h9MYu1SOoKGEvnI0

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\C9B5142D\ImagePath = "C:\\Windows\\system32\\E041D733.EXE -C9B5142D"	2e06394b5810111e28b444d3a6cc2ebc_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2504	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2560	E041D733.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\E041D733.EXE	2e06394b5810111e28b444d3a6cc2ebc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\E041D733.EXE	2e06394b5810111e28b444d3a6cc2ebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\E041D733.EXE	E041D733.EXE
File created	C:\Windows\SysWOW64\F06BEE1D.DLL	E041D733.EXE
File created	C:\Windows\SysWOW64\del.bat	2e06394b5810111e28b444d3a6cc2ebc_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2388	2e06394b5810111e28b444d3a6cc2ebc_JaffaCakes118.exe
2560	E041D733.EXE
2560	E041D733.EXE
2560	E041D733.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2504	2388	2e06394b5810111e28b444d3a6cc2ebc_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2504	2388	2e06394b5810111e28b444d3a6cc2ebc_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2504	2388	2e06394b5810111e28b444d3a6cc2ebc_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2504	2388	2e06394b5810111e28b444d3a6cc2ebc_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\2e06394b5810111e28b444d3a6cc2ebc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e06394b5810111e28b444d3a6cc2ebc_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\del.bat
  2⤵
  - Deletes itself
  PID:2504

C:\Windows\SysWOW64\E041D733.EXE
C:\Windows\SysWOW64\E041D733.EXE -C9B5142D
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\E041D733.EXE

Filesize
35KB

MD5
2e06394b5810111e28b444d3a6cc2ebc

SHA1
1a915ed60f3c3006140033692b3bf02b20ca7bfd

SHA256
41ae739b6df62b68c2bb366a580b463959450c66ede03af13cd26e82bd305700

SHA512
7ccb4a098a94d3049523e7fca4f6b72cbd227c47b31da9bcaff91676a86f90136f5d2d87cc40ba61c2c7ae0790500c1177ef507255fbc2b89b89cb54fe3d74e5

Download Submit
C:\Windows\SysWOW64\del.bat

Filesize
239B

MD5
a01bb27028ada8a4f27ecdedb9e9ca1d

SHA1
f1d63c7852646f8f9751d692e1be84e6933aeee7

SHA256
fff7a3382685aea49fea6c46cdcaecb6440842891f0367b5ab0ace0ad987740b

SHA512
48226a7be2a153a3cd6e4c4aa867bbdfc73df8ba096f5b9601b6ed5d2c9d917a03433f243af9493f15adc10705ba32b07ddee5a8a970be55865ff2ff3d41b0d4

Download Submit
memory/2388-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2388-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2388-15-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2560-4-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2560-5-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2560-17-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download