f10b3f34f196c26987548dcaed4a8ccb7571c5c9473adf27064f92b158a4e3d9

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 17:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

315d06d839dd60f9912767999b53c9dd_JaffaCakes118.exe
Size

24KB
MD5

315d06d839dd60f9912767999b53c9dd
SHA1

5c056d4368c3f0445166d73aeead3ff3e8f9f6fa
SHA256

f10b3f34f196c26987548dcaed4a8ccb7571c5c9473adf27064f92b158a4e3d9
SHA512

9faef61e0329fc6bec64db4a2e5934f8c5eb057398eed8db3a33d636ea811416dc7320160b40aca0f8df2129510dc86dd035a46d8d193e79811663013502cedd
SSDEEP

192:3jtnFDU/6RhW3gw/YzvH6e1h+DD9SMeI:TtnFl3W3gw/YzvaeID9SMeI

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2484	DbCheck.exe

Loads dropped DLL 2 IoCs

pid	Process
1944	cmd.exe
1944	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DbCheck = "C:\\Windows\\system32\\DbCheck.exe"	reg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DbCheck.exe	315d06d839dd60f9912767999b53c9dd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DbCheck.exe	315d06d839dd60f9912767999b53c9dd_JaffaCakes118.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2032	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2484	DbCheck.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1316	315d06d839dd60f9912767999b53c9dd_JaffaCakes118.exe
2484	DbCheck.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 2352	1316	315d06d839dd60f9912767999b53c9dd_JaffaCakes118.exe	30
PID 1316 wrote to memory of 2352	1316	315d06d839dd60f9912767999b53c9dd_JaffaCakes118.exe	30
PID 1316 wrote to memory of 2352	1316	315d06d839dd60f9912767999b53c9dd_JaffaCakes118.exe	30
PID 1316 wrote to memory of 2352	1316	315d06d839dd60f9912767999b53c9dd_JaffaCakes118.exe	30
PID 1316 wrote to memory of 1944	1316	315d06d839dd60f9912767999b53c9dd_JaffaCakes118.exe	31
PID 1316 wrote to memory of 1944	1316	315d06d839dd60f9912767999b53c9dd_JaffaCakes118.exe	31
PID 1316 wrote to memory of 1944	1316	315d06d839dd60f9912767999b53c9dd_JaffaCakes118.exe	31
PID 1316 wrote to memory of 1944	1316	315d06d839dd60f9912767999b53c9dd_JaffaCakes118.exe	31
PID 2352 wrote to memory of 2032	2352	cmd.exe	34
PID 2352 wrote to memory of 2032	2352	cmd.exe	34
PID 2352 wrote to memory of 2032	2352	cmd.exe	34
PID 2352 wrote to memory of 2032	2352	cmd.exe	34
PID 1944 wrote to memory of 2484	1944	cmd.exe	35
PID 1944 wrote to memory of 2484	1944	cmd.exe	35
PID 1944 wrote to memory of 2484	1944	cmd.exe	35
PID 1944 wrote to memory of 2484	1944	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\315d06d839dd60f9912767999b53c9dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\315d06d839dd60f9912767999b53c9dd_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /d C:\Windows\system32\DbCheck.exe /v DbCheck
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /d C:\Windows\system32\DbCheck.exe /v DbCheck
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\DbCheck.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\DbCheck.exe
    C:\Windows\system32\DbCheck.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\DbCheck.exe

Filesize
24KB

MD5
315d06d839dd60f9912767999b53c9dd

SHA1
5c056d4368c3f0445166d73aeead3ff3e8f9f6fa

SHA256
f10b3f34f196c26987548dcaed4a8ccb7571c5c9473adf27064f92b158a4e3d9

SHA512
9faef61e0329fc6bec64db4a2e5934f8c5eb057398eed8db3a33d636ea811416dc7320160b40aca0f8df2129510dc86dd035a46d8d193e79811663013502cedd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads