3c4e582214f06af76d67619585bc68331f8d55c77c74b66445e66865f020249f

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe
Size

292KB
MD5

31ffdcf9db6f4adb0a48751fab8b30b4
SHA1

d350e6998ee8b9f35f4b46a38dfe3553cb722e2c
SHA256

3c4e582214f06af76d67619585bc68331f8d55c77c74b66445e66865f020249f
SHA512

ad25fc9d0d49cb024c657ad300e447ac3f76703e715fb6f1ff573abe22c7cea64dc20f0d50b67ce899f9c20ce8db88ddd3028e74320b61c51d56a7843739e03b
SSDEEP

6144:ryH7xOc6H5c6HcT66vlmuJCoDgGDpPsr6h5jUJea:rac3sk6vgz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2096	svchost.exe
2396	31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe
2548	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2096	svchost.exe

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main	31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2396	31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe
2396	31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe
2396	31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe
2396	31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 2096	1412	31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe	30
PID 1412 wrote to memory of 2096	1412	31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe	30
PID 1412 wrote to memory of 2096	1412	31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe	30
PID 1412 wrote to memory of 2096	1412	31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe	30
PID 2096 wrote to memory of 2396	2096	svchost.exe	31
PID 2096 wrote to memory of 2396	2096	svchost.exe	31
PID 2096 wrote to memory of 2396	2096	svchost.exe	31
PID 2096 wrote to memory of 2396	2096	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2396

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31ffdcf9db6f4adb0a48751fab8b30b4_JaffaCakes118.exe

Filesize
257KB

MD5
d9eefeba4a66c6fd2b615a2eb3b3f939

SHA1
10684d83a67662798f95b0f883546d16a4b411dc

SHA256
fc55c2467a983bfcaafea3a9bc74259c8fcb82761b064925263013c33ca61124

SHA512
4b76110cff62d0c240484cfd57ecdaf75b29e9b7bbc506167ea40b3aab34ea022f5443ba4fc44e474ff61d2f6b3e8cb53ff3ff575e5b10fa49e1480861bf07a5

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/1412-5-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2096-16-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2548-38-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2548-43-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2548-49-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download