4ab116060c22a13bb318d928f2719b38e23c0b19603129a8878f7b5e4fd4e3db

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

332aaa8f571054658ff6673365bf7def_JaffaCakes118.exe
Size

1.2MB
MD5

332aaa8f571054658ff6673365bf7def
SHA1

f97c81882b610df9d1d74484724fd31e8a445518
SHA256

4ab116060c22a13bb318d928f2719b38e23c0b19603129a8878f7b5e4fd4e3db
SHA512

3026333cb5490a0e9dfedf339c28382d71e7de68833fc1d88e0f1e198d85a117c8cc5b085ee16314ce5bddfcf80313585ca42ff4e68fa94be3803f5434a64bc3
SSDEEP

12288:Yszz9w4HeEi6vNZRXrP6HLZIOThXduNxX8h3o9A8qFcJtlFw2T3J0:Yc9w4+d6VnXruLZ3TeNuRuJRXT3O

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\urlspace = "C:\\Users\\Admin\\AppData\\Local\\Temp\\332aaa8f571054658ff6673365bf7def_JaffaCakes118.exe -h"	332aaa8f571054658ff6673365bf7def_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2152	332aaa8f571054658ff6673365bf7def_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2152	332aaa8f571054658ff6673365bf7def_JaffaCakes118.exe
Token: 33	2152	332aaa8f571054658ff6673365bf7def_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2152	332aaa8f571054658ff6673365bf7def_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2152	332aaa8f571054658ff6673365bf7def_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2152	332aaa8f571054658ff6673365bf7def_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\332aaa8f571054658ff6673365bf7def_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\332aaa8f571054658ff6673365bf7def_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Spiritsoft\urlspirit\product.dat

Filesize
130B

MD5
52812ca300535896cd1aa45e93235069

SHA1
e1f0eb496001970692de93db75dfa28160ed415e

SHA256
c2c13e82409e3e446e0f80e0d3fe4fc60da0cacdbdce978f11064f98657a5840

SHA512
880db3f40da78264fa3204587ced63eb2aa9b91c076fc579740e95a7f1495b307978b304773b066f97a7159dc85994cb350ee8fd895dd0afb3cc2a9eb9740834

Download Submit
memory/2152-0-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2152-1-0x0000000000406000-0x0000000000407000-memory.dmp

Filesize
4KB

Download
memory/2152-13-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2152-14-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2152-15-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/2152-16-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads