c3bb07cdf482d3ca64e70279f1f133c6c5796a99ffdbac76c73541bb00fce378

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 04:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe
Size

124KB
MD5

2f098bd3c3f52bceec7fb8de6aa2cb60
SHA1

4602db50a1da240a17e55f4b46256ebb1e474297
SHA256

c3bb07cdf482d3ca64e70279f1f133c6c5796a99ffdbac76c73541bb00fce378
SHA512

0ae67b1940f0d424eb12e227d576c602c2f530d5c6f4065565b0c25ab600b5eae707a9a3d12fe47896a7bead0e3717cd913b8c8d46d1e2fc5616e6b364063c50
SSDEEP

3072:KGu9BlfzWIbXWm+w0J15iUIZ3tylccJRwhE8MPxqToEV:K/0uo7wshJ6hEjxqTD

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2264	aclr1.exe
1680	3rror.exe

Loads dropped DLL 6 IoCs

pid	Process
2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe
2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe
2264	aclr1.exe
2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe
2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe
1680	3rror.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2264	aclr1.exe
1680	3rror.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2264	2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2264	2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2264	2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2264	2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2264	2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2264	2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2264	2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe	30
PID 2052 wrote to memory of 1680	2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe	31
PID 2052 wrote to memory of 1680	2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe	31
PID 2052 wrote to memory of 1680	2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe	31
PID 2052 wrote to memory of 1680	2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe	31
PID 2052 wrote to memory of 1680	2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe	31
PID 2052 wrote to memory of 1680	2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe	31
PID 2052 wrote to memory of 1680	2052	2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f098bd3c3f52bceec7fb8de6aa2cb60_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aclr1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aclr1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3rror.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3rror.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\3rror.exe

Filesize
92KB

MD5
53eb6519c7f4f6175af48fe823087ebd

SHA1
e592d4a9ea7cea2760f614c20da1b1b196825856

SHA256
1f0f8cc7558f335e8124667087636de233cb99bdcecfb61823bb0403b1f44754

SHA512
45982eb5746246665c4a0c279888a71617e24badc77d1af861b390e4df7e0f7164700a16a91651d7ea0390be29b03d261a0228f203ca530018d7af10bbbeb5c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\aclr1.exe

Filesize
44KB

MD5
f1533a6cfa86049645bc71602d51d57a

SHA1
e64d616539dd3bf517d73c60c6d4694b85211739

SHA256
f51c26d69f63ca59be5861c61624ad9e345fc2a9fe2ab32254e0887d87233ed6

SHA512
e9173f1e7217145513f56be57aa3d30aba85f40a94093e26c984e5a193085f0458b2585976137f14f86449ef5c5b42f8975a9226dcaac6a9015efee8e71a2e78

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads