bb6bb57641cdea7dac73f83c228645228173f771c6a3931df340d94e51b09c69

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cf858176c2795185f9767846620bae7_JaffaCakes118.exe
Size

731KB
MD5

2cf858176c2795185f9767846620bae7
SHA1

06b735a487693b23c0c32dd0bb2661c76cc678eb
SHA256

bb6bb57641cdea7dac73f83c228645228173f771c6a3931df340d94e51b09c69
SHA512

55be78584461981182770466577aa5bf3800d66660c329d7f27c12e5951c46f14df2d3aa293632a281aa03b825c0149810216873f455539c1fffb7a99e868660
SSDEEP

12288:QqS5kz4IYscIuLfBemSZVWfKAJ9OjtNqvv3T/yF3Z4mxx9JW34D7qoOiMEDBni1n:QqSQNuL5kZVowtgvvD/yQmXnWoP+pEDs

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1908	Server.exe

Loads dropped DLL 3 IoCs

pid	Process
1680	2cf858176c2795185f9767846620bae7_JaffaCakes118.exe
1680	2cf858176c2795185f9767846620bae7_JaffaCakes118.exe
1908	Server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2cf858176c2795185f9767846620bae7_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SVKP.sys	Server.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1908	1680	2cf858176c2795185f9767846620bae7_JaffaCakes118.exe	30
PID 1680 wrote to memory of 1908	1680	2cf858176c2795185f9767846620bae7_JaffaCakes118.exe	30
PID 1680 wrote to memory of 1908	1680	2cf858176c2795185f9767846620bae7_JaffaCakes118.exe	30
PID 1680 wrote to memory of 1908	1680	2cf858176c2795185f9767846620bae7_JaffaCakes118.exe	30
PID 1680 wrote to memory of 1908	1680	2cf858176c2795185f9767846620bae7_JaffaCakes118.exe	30
PID 1680 wrote to memory of 1908	1680	2cf858176c2795185f9767846620bae7_JaffaCakes118.exe	30
PID 1680 wrote to memory of 1908	1680	2cf858176c2795185f9767846620bae7_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\2cf858176c2795185f9767846620bae7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2cf858176c2795185f9767846620bae7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
398KB

MD5
509930962d43ef89d0002c8dd12bc695

SHA1
92f7416182d453b79d5e3fd32e8a413d17fe9565

SHA256
a5a5c5638b21c2c7d901a04e76758225fb20503290b81706f92eb68623352bdd

SHA512
a92a25316d2e86c1ace4ab4d68d248a42f360f46774b96971b335806f95d3bacd2edbd86eb51293af6409dce4b415346203c579ac71c98020a2f097e5fd289b3

Download Submit
memory/1680-0-0x0000000001000000-0x00000000010C2000-memory.dmp

Filesize
776KB

Download
memory/1680-1-0x00000000007A0000-0x0000000000862000-memory.dmp

Filesize
776KB

Download
memory/1680-3-0x0000000001000000-0x00000000010C2000-memory.dmp

Filesize
776KB

Download
memory/1680-2-0x000000000106F000-0x0000000001070000-memory.dmp

Filesize
4KB

Download
memory/1680-4-0x0000000001000000-0x00000000010C2000-memory.dmp

Filesize
776KB

Download
memory/1680-19-0x0000000001000000-0x00000000010C2000-memory.dmp

Filesize
776KB

Download
memory/1908-17-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads