Overview

overview

7

Static

static

3

2c3746bd18...18.exe

windows7-x64

7

2c3746bd18...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    08/07/2024, 11:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2c3746bd1821c788879d9e524efd60f0_JaffaCakes118.exe

  • Size

    677KB

  • MD5

    2c3746bd1821c788879d9e524efd60f0

  • SHA1

    5dd747eda7a3c7b7683236518362ec3e33228592

  • SHA256

    5bf9031882d66caad81debb6f6753535c7a65c2ff2fbc5f44a36d31ec4935c17

  • SHA512

    dd929b3a412fc956204678448d45727029993239ccc2b530178a7dbc77f4e5f23ff401d94e62041790eca42d724fe21ce77c11d7449af0c053f1a8d4a072ec8b

  • SSDEEP

    12288:+uxdhCOTOdjY1Lo7t5TLPMxqfkr/UezQupLZAF3Z4mxxpDqVTVOCO:R7DO/v/qEkr8ezfZAQmXAVTzO

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c3746bd1821c788879d9e524efd60f0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2c3746bd1821c788879d9e524efd60f0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\uninstal.bat
        3⤵
          PID:2628
    • C:\Windows\System.exe
      C:\Windows\System.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2616

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\uninstal.bat
            Filesize

            150B

            MD5

            38abcb0e3e0290b7fd102ede63184294

            SHA1

            db5ea8b475b211779aee0ceaec4e7d389195b899

            SHA256

            7c31d1ad068fa0fd74158b9855f4bc8ec2467875bd74e3f8272df986c51166b7

            SHA512

            5c52f1692419d02d50f1296251aba070a7829e63fa88fd4f9b9e15e488e4be9de69240b5fa3a721c41a644851ea28418cbb1f90492b2d57d689e051faeafdd22

            Download Submit

          • \Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
            Filesize

            772KB

            MD5

            76bcfbb47dd85cf5583488a297874cc3

            SHA1

            cc391a760880cbe069a48e57bd57b0e7badb51d4

            SHA256

            654329acf916ab6745e5dba574f5bca718c88d8acc69b7ac03b94ff637988db9

            SHA512

            c7d4581cc84393ae1f59cdea58bc0b4c01d41a74ab533f97703f36cc834478fa9383312530f90f3ba951e3e3eb024314502cef81da2b6584fdab6dabd6384488

            Download Submit

          • memory/2616-24-0x00000000003E0000-0x00000000003E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2616-30-0x0000000000400000-0x00000000004C8016-memory.dmp

            Filesize

            800KB

            Download

          • memory/2616-32-0x00000000003E0000-0x00000000003E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2848-0-0x0000000001000000-0x00000000010B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/2848-2-0x0000000001000000-0x00000000010B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/2848-1-0x0000000001062000-0x0000000001063000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2848-3-0x0000000001000000-0x00000000010B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/2848-28-0x0000000001000000-0x00000000010B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/2892-26-0x0000000000400000-0x00000000004C8016-memory.dmp

            Filesize

            800KB

            Download