fc1c04846cf922d045dfd2bce64ee8d7a8e9a8c5fbfd5a508b380426d1402998

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2eea1ac80810e7e2bec2af3b7910ea2e_JaffaCakes118.exe
Size

189KB
MD5

2eea1ac80810e7e2bec2af3b7910ea2e
SHA1

403b33aba60663b730210975b4229c4c758e5006
SHA256

fc1c04846cf922d045dfd2bce64ee8d7a8e9a8c5fbfd5a508b380426d1402998
SHA512

828cda3df4c958b18f6c97e39e219415fce7a7d68dfacc9bbbc4736d7ffe9d4a9ff8a32601725b94a6820c5105753ba0c76ed81b6b06dea33671617a3607933d
SSDEEP

3072:/ZicV8bfnAU9To69JiVkAu2AnkTPdrezrY2wa7xGDA88SswULwYK7JmcVeb:RicuvPvaVkzkTPArTwix3SsiYKm

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	2eea1ac80810e7e2bec2af3b7910ea2e_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2644	dplaysvr.exe

Loads dropped DLL 3 IoCs

pid	Process
2708	2eea1ac80810e7e2bec2af3b7910ea2e_JaffaCakes118.exe
2708	2eea1ac80810e7e2bec2af3b7910ea2e_JaffaCakes118.exe
2644	dplaysvr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	2eea1ac80810e7e2bec2af3b7910ea2e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	2eea1ac80810e7e2bec2af3b7910ea2e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2708	2eea1ac80810e7e2bec2af3b7910ea2e_JaffaCakes118.exe
2644	dplaysvr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2644	2708	2eea1ac80810e7e2bec2af3b7910ea2e_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2644	2708	2eea1ac80810e7e2bec2af3b7910ea2e_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2644	2708	2eea1ac80810e7e2bec2af3b7910ea2e_JaffaCakes118.exe	31
PID 2708 wrote to memory of 2644	2708	2eea1ac80810e7e2bec2af3b7910ea2e_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\2eea1ac80810e7e2bec2af3b7910ea2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2eea1ac80810e7e2bec2af3b7910ea2e_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\dplaysvr.exe
  "C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\2eea1ac80810e7e2bec2af3b7910ea2e_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of UnmapMainImage
  PID:2644

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\510D.tmp

Filesize
76KB

MD5
57ca0be7841ca37945919dfc56f736e4

SHA1
6d8f9d7b7d432b38e9b40cdfd85b5b611ee1026c

SHA256
23dc8f257801f9d20f5173533c27b318fd26493b2f7b51ad9f51e906432a4260

SHA512
91c44fdc3337af1d77c4965bc309610cec8a1e5f496da02cd8efc4ec2f38ac862eb4bdc837710726c9b93710191f732d99437abc4671866ad6c94198daf1d290

Download Submit
C:\Users\Admin\AppData\Local\Temp\510E.tmp

Filesize
121KB

MD5
0d41a48a44382089f88f223f677a735a

SHA1
d633ad9b2390099d0775ca769f7a3d38a40713f7

SHA256
a54d21872ea486d60a55d205a939935394de4c049eaf4a97e8a404fbbed37e46

SHA512
08b2ed55c73f31e39ec0304cf9b402772e8942baa615c69827deb79e1874acca1e3df2e58441a7633de0dd950d07c25ee20d79d87476177ef08a35e0a6f67e7a

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
884B

MD5
b8dc34273f4a5febd78da41013fa38ea

SHA1
d154c933e978a974bb26ef3f34310251e379bf17

SHA256
69a9b750833e23b6fe85db441f896707c251f70b76cae72aba866f27a376aeb3

SHA512
f4be940791a955fed2ce956c4fb45731c36cbd3d4f6b877585cced5dac1506e2be18f3a6047437d56328c6fbb2f3b536a07683c2058e316f27b36b567f93f87c

Download Submit
memory/2644-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2708-3-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2708-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads