Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10-07-2024 15:09

General

  • Target

    353e474f7b4016813bbb462798fec64f_JaffaCakes118.exe

  • Size

    865KB

  • MD5

    353e474f7b4016813bbb462798fec64f

  • SHA1

    0464cc64c8e19e42765deeeae6e3f1a46c1ed9b9

  • SHA256

    b95d3f837860a9458844193b1eb148f16865728200f62c2671ebf37644f57dff

  • SHA512

    01395ed6cd1b6cfe3a81680bcbba907c99973f63bfe15c6010dc2f78a425fc9b28587d5268220595d39b5029c0d172931ed5b2f786a85d6509b563d48a2a24de

  • SSDEEP

    24576:K/7//0x2mmB+i06g8oUsuE/pm3dw1ClFrg2Dt59e4Omb5/:gzBb06g8oj1/pmDH/59//

Malware Config

Signatures

  • Detects PseudoManuscrypt payload 8 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • PseudoManuscrypt

    PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 6 IoCs
  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:472
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:848
        • C:\Windows\system32\wbem\WMIADAP.EXE
          wmiadap.exe /F /T /R
          3⤵
            PID:2644
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Checks processor information in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          PID:2900
      • C:\Users\Admin\AppData\Local\Temp\353e474f7b4016813bbb462798fec64f_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\353e474f7b4016813bbb462798fec64f_JaffaCakes118.exe"
        1⤵
          PID:2416
        • C:\Windows\system32\rUNdlL32.eXe
          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:2168
          • C:\Windows\SysWOW64\rundll32.exe
            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
            2⤵
            • Loads dropped DLL
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2408

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\sqlite.dat

          Filesize

          558KB

          MD5

          d2ea63e70f5d51810958b2893048ebae

          SHA1

          5c3d28bf01f169685b09014544cf67cc3a610e2e

          SHA256

          c5f36825e9c601d5550b02717dbeeeadf1b947806c613d4ff15ed43fbdf2023d

          SHA512

          749062d7ed13d600a28f0a07a5b0682252e45c7a0b693ee88815941c099f97e651b275b9cc47ed905875a2a3dd09a26da8d89963514e836aebfdfe8e060d53c3

        • C:\Users\Admin\AppData\Local\Temp\sqlite.dll

          Filesize

          80KB

          MD5

          993b4986d4dec8eaebaceb3cf9df0cb4

          SHA1

          07ad151d9bace773e59f41a504fe7447654c1f34

          SHA256

          4412b9732c50551bf9278ee0ee4fe8e0e33b713f6eea5e6873950d807e9353ec

          SHA512

          ee70123e2a4bad0ba6fe181ae9829f77257a4d162e2a01a478a5e37a70688370f3f2d2c833d253b093a99642e90512a3be684f004da23981c66cb9faccfa143e

        • memory/848-14-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

          Filesize

          308KB

        • memory/848-11-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

          Filesize

          308KB

        • memory/848-12-0x00000000013A0000-0x0000000001412000-memory.dmp

          Filesize

          456KB

        • memory/848-16-0x00000000013A0000-0x0000000001412000-memory.dmp

          Filesize

          456KB

        • memory/2408-9-0x0000000000BE0000-0x0000000000CE1000-memory.dmp

          Filesize

          1.0MB

        • memory/2408-23-0x00000000004C0000-0x000000000051D000-memory.dmp

          Filesize

          372KB

        • memory/2408-10-0x00000000004C0000-0x000000000051D000-memory.dmp

          Filesize

          372KB

        • memory/2900-20-0x0000000000290000-0x0000000000302000-memory.dmp

          Filesize

          456KB

        • memory/2900-17-0x0000000000060000-0x00000000000AD000-memory.dmp

          Filesize

          308KB

        • memory/2900-25-0x0000000000290000-0x0000000000302000-memory.dmp

          Filesize

          456KB

        • memory/2900-27-0x0000000000290000-0x0000000000302000-memory.dmp

          Filesize

          456KB

        • memory/2900-28-0x0000000000290000-0x0000000000302000-memory.dmp

          Filesize

          456KB

        • memory/2900-166-0x0000000000290000-0x0000000000302000-memory.dmp

          Filesize

          456KB

        • memory/2900-167-0x0000000000290000-0x0000000000302000-memory.dmp

          Filesize

          456KB