ca74653b78a425c49ba25d0ed0e979dd28e401fefbb4f8ebf8de6cd5294b48ed

Analysis

max time kernel
143s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe
Size

1.1MB
MD5

32880b095d8152d486a3de42cbd65d35
SHA1

248a3c0787fda926ef4bc03110901b9fcbf69ac7
SHA256

ca74653b78a425c49ba25d0ed0e979dd28e401fefbb4f8ebf8de6cd5294b48ed
SHA512

a7f481dfda74fedde936b89a960aaf3f97fedef9c960a37bda53f68c2acaf362f6b8c18e6f02f3d0e1eb7dbd7271c0ba751a33db7de93db54118f47eb93c550f
SSDEEP

12288:aRVBjal9FDNtJdk88+xx0DqXJkwB0ogFnpo+1HyzxpuZUK/ubz9K7AD2/ah0mChq:qXj2ftP6yS61LCRm4Mb401EhZbcgKUb+

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2068	install.exe
2316	trade hack v1825.exe
2128	isass.exe

Loads dropped DLL 16 IoCs

pid	Process
332	32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe
2068	install.exe
2068	install.exe
2068	install.exe
2068	install.exe
2068	install.exe
2068	install.exe
2068	install.exe
2316	trade hack v1825.exe
2316	trade hack v1825.exe
2316	trade hack v1825.exe
2128	isass.exe
2128	isass.exe
2128	isass.exe
2128	isass.exe
2316	trade hack v1825.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2848	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2068	install.exe
2128	isass.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2068	install.exe
Token: SeIncBasePriorityPrivilege	2068	install.exe
Token: SeIncBasePriorityPrivilege	2068	install.exe
Token: SeIncBasePriorityPrivilege	2128	isass.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2316	trade hack v1825.exe
2128	isass.exe
2316	trade hack v1825.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 2068	332	32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe	31
PID 332 wrote to memory of 2068	332	32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe	31
PID 332 wrote to memory of 2068	332	32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe	31
PID 332 wrote to memory of 2068	332	32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe	31
PID 332 wrote to memory of 2068	332	32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe	31
PID 332 wrote to memory of 2068	332	32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe	31
PID 332 wrote to memory of 2068	332	32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe	31
PID 2068 wrote to memory of 2128	2068	install.exe	32
PID 2068 wrote to memory of 2128	2068	install.exe	32
PID 2068 wrote to memory of 2128	2068	install.exe	32
PID 2068 wrote to memory of 2128	2068	install.exe	32
PID 2068 wrote to memory of 2128	2068	install.exe	32
PID 2068 wrote to memory of 2128	2068	install.exe	32
PID 2068 wrote to memory of 2128	2068	install.exe	32
PID 2068 wrote to memory of 2316	2068	install.exe	33
PID 2068 wrote to memory of 2316	2068	install.exe	33
PID 2068 wrote to memory of 2316	2068	install.exe	33
PID 2068 wrote to memory of 2316	2068	install.exe	33
PID 2068 wrote to memory of 2316	2068	install.exe	33
PID 2068 wrote to memory of 2316	2068	install.exe	33
PID 2068 wrote to memory of 2316	2068	install.exe	33
PID 2128 wrote to memory of 2692	2128	isass.exe	34
PID 2128 wrote to memory of 2692	2128	isass.exe	34
PID 2128 wrote to memory of 2692	2128	isass.exe	34
PID 2128 wrote to memory of 2692	2128	isass.exe	34
PID 2128 wrote to memory of 2692	2128	isass.exe	34
PID 2128 wrote to memory of 2692	2128	isass.exe	34
PID 2128 wrote to memory of 2692	2128	isass.exe	34
PID 2692 wrote to memory of 2676	2692	cmd.exe	36
PID 2692 wrote to memory of 2676	2692	cmd.exe	36
PID 2692 wrote to memory of 2676	2692	cmd.exe	36
PID 2692 wrote to memory of 2676	2692	cmd.exe	36
PID 2692 wrote to memory of 2676	2692	cmd.exe	36
PID 2692 wrote to memory of 2676	2692	cmd.exe	36
PID 2692 wrote to memory of 2676	2692	cmd.exe	36
PID 2676 wrote to memory of 2848	2676	cmd.exe	37
PID 2676 wrote to memory of 2848	2676	cmd.exe	37
PID 2676 wrote to memory of 2848	2676	cmd.exe	37
PID 2676 wrote to memory of 2848	2676	cmd.exe	37
PID 2676 wrote to memory of 2848	2676	cmd.exe	37
PID 2676 wrote to memory of 2848	2676	cmd.exe	37
PID 2676 wrote to memory of 2848	2676	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\32880b095d8152d486a3de42cbd65d35_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332
- C:\Users\Admin\AppData\Local\Temp\install.exe
  C:\Users\Admin\AppData\Local\Temp\install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\isass.exe
    C:\Users\Admin\AppData\Local\isass.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c setup.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2848
- - C:\Users\Admin\AppData\Local\trade hack v1825.exe
    "C:\Users\Admin\AppData\Local\trade hack v1825.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.bat

Filesize
143B

MD5
330d9a81f808b287b999c76c1d932ed6

SHA1
95146f6f084c39395e2fae892af065e85fddb8d1

SHA256
4e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f

SHA512
4abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812

Download Submit
C:\Users\Admin\AppData\Local\isass.exe

Filesize
114KB

MD5
22367d3925d0ce479e26b4bfffd981af

SHA1
51927129412bb0dc40c70edea8564018d6cdc9c1

SHA256
605531328588d61ce66fbc099109d42d616b1d9d7857a6e6ef1d8633d841d894

SHA512
05fcf3d06c1be0b8809a58b5c2410a31f41d78ea18f5022b02ed6e768433628e2267303c8a7ad78b992d8f68cce45478e835d4f8b1ea85b72de97eb812c48527

Download Submit
\Users\Admin\AppData\Local\Temp\install.exe

Filesize
750KB

MD5
2aaddeb3be2ace2f08c6da6e05e2d935

SHA1
a88ad8a2937c6ca60d5af0a0681cb9339e09fd0f

SHA256
2aedb4e3f7d2ad311ef217734a4d0e99e6c7310c7469c25bfbee85e7cf153295

SHA512
bc4e6cceb4b9d68b9fdb3375fb6cbfd93179dded26d9d1d2060bd1ebe03802ae613303a64337790af9b86091010337cba5243c4cbc740be8972be534c7e539c8

Download Submit
\Users\Admin\AppData\Local\ntldr.dll

Filesize
238KB

MD5
7b4c2a53c459c513b9577666592ea527

SHA1
bee4c401988641187512311c6d57f5a35964473a

SHA256
a53586432386bd588e9fdc74dbfc3b1905c35b4cf09e2359096bef697c57f534

SHA512
17860b50a28294dc1605ef7c26cd2f652447caa6adc1b78de54f2e05fcff3457c8ca0a557342c3089a3fc661f632cc483272c1b3340860ee6ca22978c8d7c2ac

Download Submit
\Users\Admin\AppData\Local\trade hack v1825.exe

Filesize
20KB

MD5
ae859471a470989c488f7e913cc9f088

SHA1
ba5a876cf34d892064aec35bb884722ea73551d5

SHA256
f727397f95f6f1bd80ca1f8c28bc397fbc33935286d6001d48a572034e5dd44b

SHA512
06199925c0daa9b56066dfae681e03ce473859bb143087a6323edfd504970c5fe7cb03d4d3149b1e947cee4faf9eeab18b0d9cedb63fdd5cc8bb37632add1222

Download Submit
memory/332-0-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/332-27-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2068-26-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2128-41-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/2128-52-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2128-53-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/2316-49-0x00000000008B0000-0x00000000008F1000-memory.dmp

Filesize
260KB

Download
memory/2316-54-0x00000000008B0000-0x00000000008F1000-memory.dmp

Filesize
260KB

Download
memory/2316-60-0x00000000008B0000-0x00000000008F1000-memory.dmp

Filesize
260KB

Download