24d798837b7b27dfdd3732e4ba091404b204442fccefc00bc96e61264d00baae

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 19:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

31ba85d1725be33d4bc0f195780e7fd4_JaffaCakes118.exe
Size

37KB
MD5

31ba85d1725be33d4bc0f195780e7fd4
SHA1

4019f250e03fd110982c87db3e254df5603c849f
SHA256

24d798837b7b27dfdd3732e4ba091404b204442fccefc00bc96e61264d00baae
SHA512

ff56bfc8a38290d016e0392654165516e02a20ac234f7484fc20b6d50b8f510b1258dcf9d9a33df8c8121a10fee09198d925031e21318334562a8c8e5c751974
SSDEEP

768:ejCyzmmRmDyt1+h3TPjDsDIZ6HQrsNMp5/WFn1iFJzuD6rwA:WzmmRmDy3s3TPj+IKQDp5eFn1iF26rV

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
308	iexplorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\iexplorer.exe"	iexplorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\iexplorer.exe	31ba85d1725be33d4bc0f195780e7fd4_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\iexplorer.exe	31ba85d1725be33d4bc0f195780e7fd4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1264	31ba85d1725be33d4bc0f195780e7fd4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	308	iexplorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
308	iexplorer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 308	1264	31ba85d1725be33d4bc0f195780e7fd4_JaffaCakes118.exe	30
PID 1264 wrote to memory of 308	1264	31ba85d1725be33d4bc0f195780e7fd4_JaffaCakes118.exe	30
PID 1264 wrote to memory of 308	1264	31ba85d1725be33d4bc0f195780e7fd4_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\31ba85d1725be33d4bc0f195780e7fd4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\31ba85d1725be33d4bc0f195780e7fd4_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\system32\iexplorer.exe
  "C:\Windows\system32\iexplorer.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\iexplorer.exe

Filesize
37KB

MD5
31ba85d1725be33d4bc0f195780e7fd4

SHA1
4019f250e03fd110982c87db3e254df5603c849f

SHA256
24d798837b7b27dfdd3732e4ba091404b204442fccefc00bc96e61264d00baae

SHA512
ff56bfc8a38290d016e0392654165516e02a20ac234f7484fc20b6d50b8f510b1258dcf9d9a33df8c8121a10fee09198d925031e21318334562a8c8e5c751974

Download Submit
memory/308-11-0x000007FEF6320000-0x000007FEF6CBD000-memory.dmp

Filesize
9.6MB

Download
memory/308-12-0x000007FEF6320000-0x000007FEF6CBD000-memory.dmp

Filesize
9.6MB

Download
memory/308-13-0x000007FEF6320000-0x000007FEF6CBD000-memory.dmp

Filesize
9.6MB

Download
memory/1264-0-0x000007FEF65DE000-0x000007FEF65DF000-memory.dmp

Filesize
4KB

Download
memory/1264-1-0x000007FEF6320000-0x000007FEF6CBD000-memory.dmp

Filesize
9.6MB

Download
memory/1264-2-0x000007FEF6320000-0x000007FEF6CBD000-memory.dmp

Filesize
9.6MB

Download
memory/1264-10-0x000007FEF6320000-0x000007FEF6CBD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads