45fc8f2107a0bbb1324e69404d8dd60db0fa742c6b784205a5f3444d7be2a22c

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3499c0cfc9d30d2637867d55822c03dc_JaffaCakes118.exe
Size

629KB
MD5

3499c0cfc9d30d2637867d55822c03dc
SHA1

3c852fc54c7ca4130939da38b12a71dcef8785fb
SHA256

45fc8f2107a0bbb1324e69404d8dd60db0fa742c6b784205a5f3444d7be2a22c
SHA512

39f862329e92c0dca049fb6520cda6a2980f6b7ff419a229d0308db4172add93055b636ce638e32de947f0f6f303c499675930f9b3c6335f869595593b81306c
SSDEEP

12288:R/IY2iLUhXtAJITTj2hhs/tN/KFAsF3Z4mxxs0MHoTAFbX:R/EiLUh+UEYX/EQmXsKc

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2264	1.exe
2816	360safe

Loads dropped DLL 4 IoCs

pid	Process
3004	3499c0cfc9d30d2637867d55822c03dc_JaffaCakes118.exe
3004	3499c0cfc9d30d2637867d55822c03dc_JaffaCakes118.exe
2680	WerFault.exe
2680	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3499c0cfc9d30d2637867d55822c03dc_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Deleteme.bat	1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\360safe	1.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\360safe	1.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2680	2816	WerFault.exe	32

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2264	3004	3499c0cfc9d30d2637867d55822c03dc_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2264	3004	3499c0cfc9d30d2637867d55822c03dc_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2264	3004	3499c0cfc9d30d2637867d55822c03dc_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2264	3004	3499c0cfc9d30d2637867d55822c03dc_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2680	2816	360safe	33
PID 2816 wrote to memory of 2680	2816	360safe	33
PID 2816 wrote to memory of 2680	2816	360safe	33
PID 2816 wrote to memory of 2680	2816	360safe	33
PID 2264 wrote to memory of 2976	2264	1.exe	34
PID 2264 wrote to memory of 2976	2264	1.exe	34
PID 2264 wrote to memory of 2976	2264	1.exe	34
PID 2264 wrote to memory of 2976	2264	1.exe	34

C:\Users\Admin\AppData\Local\Temp\3499c0cfc9d30d2637867d55822c03dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3499c0cfc9d30d2637867d55822c03dc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Deleteme.bat""
    3⤵
    PID:2976

C:\Program Files\Common Files\Microsoft Shared\MSINFO\360safe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\360safe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 224
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\Deleteme.bat

Filesize
144B

MD5
aeb0a0f0ff20558122773f7a69acf150

SHA1
497477b809b9a0e8e1f2380c6b85e57658c5bb00

SHA256
c4ced11af38b5f065298c491bcda80a39c69f40de591f577bd861ae669af914f

SHA512
cbfc629b8254bdd5b07e494630231ace552d44ea088484a2f2352b5f96e7e4c101cb1b00a5374e40d84ba79734507824b1973bea987d87f17fd746c370de71a4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
258KB

MD5
1852fa3824087332b5beece519961493

SHA1
80357ae21f9fbf7647e0a0f9371a5e82f931faf0

SHA256
07202f6e61488d12ea156e850c3238a5c177ba950d34319fb4b3c76c88b4b590

SHA512
faad04092fa4aebd4a889de99aeb7d4713387edb679cf71e2eb2506f2555e45e142575dbd51bd7771027cfeb9ebd04d5a3659a28541e8625a05497cd59c501fd

Download Submit
memory/2264-62-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2264-53-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2816-54-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2816-45-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/3004-5-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/3004-19-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/3004-7-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3004-6-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/3004-0-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/3004-4-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/3004-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3004-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3004-14-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/3004-31-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/3004-30-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/3004-29-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3004-28-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3004-27-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3004-26-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/3004-23-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/3004-22-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/3004-21-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/3004-20-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3004-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3004-18-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3004-17-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/3004-16-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/3004-15-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/3004-9-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/3004-34-0x0000000003150000-0x0000000003258000-memory.dmp

Filesize
1.0MB

Download
memory/3004-40-0x0000000003150000-0x0000000003258000-memory.dmp

Filesize
1.0MB

Download
memory/3004-10-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/3004-48-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/3004-49-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/3004-50-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/3004-52-0x0000000003150000-0x0000000003258000-memory.dmp

Filesize
1.0MB

Download
memory/3004-11-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/3004-12-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/3004-13-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/3004-64-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/3004-1-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads