Analysis

  • max time kernel
    84s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    08/07/2024, 07:19

General

  • Target

    2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe

  • Size

    157KB

  • MD5

    2b7083e65c670f754f718600eb292cfb

  • SHA1

    2c958a67f029d6dc730ad0e94290a5a635225300

  • SHA256

    75f0f21737fed722cba5c80dacdb50614a3e5240efae04108af4e9cc7ae0c707

  • SHA512

    f7ab0e909e7763d65d71153e289a2fd52a5b708f6756423bb9f74069d7f99841d99f98553fe3e4f327f5590d7c1a6c26815fb068b4e02857b110b4d5b815b250

  • SSDEEP

    3072:Vp9pZqP95Oh1DDyjRvxwKU9LfnnOgW4jKIWO977dW18DjVjR:DZE5+13ylv+nDn8O9HdqqJj

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 2 IoCs
  • Unexpected DNS network traffic destination 9 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:476
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1264
    • C:\Users\Admin\AppData\Local\Temp\2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2b7083e65c670f754f718600eb292cfb_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Deletes itself
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\{15366efd-cfd9-0c16-f3c4-ad88e049c25a}\n

    Filesize

    26KB

    MD5

    fab7de9eafea67f88e43003698024c86

    SHA1

    24a4ef27c29cdeabed5e0af867e3f568da40d0c9

    SHA256

    073b1f99871dc56a33dcd55af71d53482816bfc9b3ce5c78ee53bed31b428384

    SHA512

    b4a57a8cc564760526d4cce26ce24e80657c064df373c307bb90cf053d01d04bdfe1def41fedfeb7715e53d8481a98c94bc6f3bf33815b4571d898aa08553fcd

  • \systemroot\Installer\{15366efd-cfd9-0c16-f3c4-ad88e049c25a}\@

    Filesize

    2KB

    MD5

    38c9d726d8fec900eb13e0b96aa4a7df

    SHA1

    bfb1ea50a783e13e619228012f4472ae129f8bf5

    SHA256

    6302e3d8798b296fe058c71cc12b6216d6b3f00015e2e2b36176989aeb1599e1

    SHA512

    68864d4e9a3a6d61f871e44e2a50dbd6ea95c8a1cdfbddd79280d547173bdb9a05314a36004cdf2d057f4d7520e675257ef5c9e50d6ee6813500c4cd1932ac65

  • memory/476-13-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

  • memory/476-21-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

  • memory/1264-8-0x0000000002590000-0x0000000002591000-memory.dmp

    Filesize

    4KB

  • memory/1264-3-0x0000000002590000-0x0000000002591000-memory.dmp

    Filesize

    4KB

  • memory/1264-17-0x0000000002590000-0x0000000002591000-memory.dmp

    Filesize

    4KB

  • memory/2944-1-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/2944-2-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

  • memory/2944-15-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

  • memory/2944-16-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/2944-20-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

  • memory/2944-19-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB