156f940afb79f0ae3a13c766d9e5aa2e40870db2421f4b245f49135dc7b0f0af

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe
Size

3.3MB
MD5

3356aae4f5a2a83cb062e91f544fd3df
SHA1

d3e7b148cc7231cf2b99dbb53c95998169b1f831
SHA256

156f940afb79f0ae3a13c766d9e5aa2e40870db2421f4b245f49135dc7b0f0af
SHA512

2d56ddfbdd3e14f0e29831173d122cc6d5094d098f3d4e91ca0c2af388da22a441abe92a25977f9f859dde5d8076a38fc7877b56866a6fa5875bd63681f8e0e8
SSDEEP

12288:xrNogwflQWMw28nPi1Ken9UWDoUWtoOBFeBnJ8z490JWcm0:xrNoPflokn2KzWDHWtvc+Jy0

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1968	explorer.exe
1952	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2508	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe
1968	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2484 set thread context of 2508	2484	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	30
PID 1968 set thread context of 1952	1968	explorer.exe	32

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2508	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe
2508	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2508	2484	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2508	2484	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2508	2484	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2508	2484	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2508	2484	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2508	2484	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2508	2484	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2508	2484	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2508	2484	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2508	2484	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	30
PID 2508 wrote to memory of 1968	2508	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	31
PID 2508 wrote to memory of 1968	2508	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	31
PID 2508 wrote to memory of 1968	2508	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	31
PID 2508 wrote to memory of 1968	2508	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	31
PID 1968 wrote to memory of 1952	1968	explorer.exe	32
PID 1968 wrote to memory of 1952	1968	explorer.exe	32
PID 1968 wrote to memory of 1952	1968	explorer.exe	32
PID 1968 wrote to memory of 1952	1968	explorer.exe	32
PID 1968 wrote to memory of 1952	1968	explorer.exe	32
PID 1968 wrote to memory of 1952	1968	explorer.exe	32
PID 1968 wrote to memory of 1952	1968	explorer.exe	32
PID 1968 wrote to memory of 1952	1968	explorer.exe	32
PID 1968 wrote to memory of 1952	1968	explorer.exe	32
PID 1968 wrote to memory of 1952	1968	explorer.exe	32
PID 1952 wrote to memory of 2720	1952	explorer.exe	33
PID 1952 wrote to memory of 2720	1952	explorer.exe	33
PID 1952 wrote to memory of 2720	1952	explorer.exe	33
PID 1952 wrote to memory of 2720	1952	explorer.exe	33

C:\Users\Admin\AppData\Local\Temp\3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\explorer.exe" 1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\explorer.exe" 1
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\18788.bat"
        5⤵
        
        PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\18788.bat

Filesize
183B

MD5
32e66b308043ce7a4600e2dd7d048257

SHA1
05d8b30c47dfa7a9d7d242f75716538c4b4491fd

SHA256
f686a466d28fbb8bb4b4aaaf4d7f8f51b6e624d45102ab480517f92a4b64dadd

SHA512
8825fd87623842a45cd8aa8f3c2fc5dba86d0a7d2129bb120aa78c455e7d189cd2992a987c87abbe21ede33f03d43d9491cad86787a58be0a704ad31df303713

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
3.3MB

MD5
3356aae4f5a2a83cb062e91f544fd3df

SHA1
d3e7b148cc7231cf2b99dbb53c95998169b1f831

SHA256
156f940afb79f0ae3a13c766d9e5aa2e40870db2421f4b245f49135dc7b0f0af

SHA512
2d56ddfbdd3e14f0e29831173d122cc6d5094d098f3d4e91ca0c2af388da22a441abe92a25977f9f859dde5d8076a38fc7877b56866a6fa5875bd63681f8e0e8

Download Submit
memory/1952-56-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1952-46-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1952-45-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1952-42-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1952-43-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1952-39-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2508-8-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2508-15-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2508-14-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2508-44-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2508-12-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2508-10-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2508-0-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2508-6-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2508-4-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2508-2-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download