Analysis

  • max time kernel
    130s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 16:20

General

  • Target

    357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe

  • Size

    147KB

  • MD5

    357a71bc43621cd13d8019d8eab8321e

  • SHA1

    7ba961decbab63775e375fe476d2678caebee4fd

  • SHA256

    c05aaf0cb3982fac7c2fc589bc9504e1ad660294a5bf2a9e3b9b2717416c8602

  • SHA512

    6943b1aca8fd0c93a787ec8b3e781984436f1463cc3e7dde81667666569cb66b9b896b255553eee36c7bc82fabeb900fbb89fcbd1c7950d64accc5ffc2cc1846

  • SSDEEP

    3072:tOCn1rixFxB2MtsHQvjcPs1+nKYkdoqrhyK4gPVQDr9IF2q27iR1+aJe1mgawzx+:tOCn1rifm+sujcPsInKTtPVQGF2q2OR5

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\357a71bc43621cd13d8019d8eab8321e_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\Windows\tsrv.exe
      C:\Windows\tsrv.exe s
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:4720
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\System32\notepad.exe C:\Users\Admin\AppData\Local\Temp\920E.tmp
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\920E.tmp

    Filesize

    55KB

    MD5

    a94e8bf6886703fc51f222d3a0f554dc

    SHA1

    2fc428aee9bf8b19e7c6bc3be30b243b16ec95ac

    SHA256

    0e8a026c3220e8762ef698646ed636c464d1dda4fdf67aed74e27b305871dfc5

    SHA512

    b056b9a6653c720b0da7b73f674fdf491ea771f2e135755a96424846b10911e99b18ce976c43ed060569cdb02e8f0108b30b101d00a0f8c589cb0c1537953944

  • C:\Windows\SysWOW64\B98C.tmp

    Filesize

    6KB

    MD5

    cf3d1a580e2895c12361419c6c3e8580

    SHA1

    ea1338f55c190c66af4dea73d5ec3e8c5806187c

    SHA256

    66364c1bdefa75929031d7d2a434b1ebb0f60a308e50c424844673c13cf31561

    SHA512

    7fbad15c85b57e0d256cbe51e83e9f01bba764a7a4cd4c28ff0e5e64b5abe59ada448694421c87e801b411d5dd34a23115f93871af5d688742ea9a5ee6f08b51

  • C:\Windows\tsrv.dll

    Filesize

    5KB

    MD5

    392090050d9cf1f100365c5939bde059

    SHA1

    948d42e4251c34876b50ed27c9d0c20aa2b5864a

    SHA256

    0d3ca0588fa5d9bd60d6a79287fb53ffb72873fd72214ef2417cb8b26598d9e7

    SHA512

    5ee49d08db229dad3fc23a7c53e71fc881d67ee7168cc6fd9e52ad0c899138a7a33b15cc427a8f0d3e826e7f1634939a6ece19fee4d8bcb905b5521effdaaf12

  • C:\Windows\tsrv.exe

    Filesize

    147KB

    MD5

    357a71bc43621cd13d8019d8eab8321e

    SHA1

    7ba961decbab63775e375fe476d2678caebee4fd

    SHA256

    c05aaf0cb3982fac7c2fc589bc9504e1ad660294a5bf2a9e3b9b2717416c8602

    SHA512

    6943b1aca8fd0c93a787ec8b3e781984436f1463cc3e7dde81667666569cb66b9b896b255553eee36c7bc82fabeb900fbb89fcbd1c7950d64accc5ffc2cc1846

  • C:\Windows\tsrv.wax

    Filesize

    4KB

    MD5

    3e993a41ae687a17bff174e515f13df2

    SHA1

    49a8d2d615b47f61dd7d24d4a8249a4fb26f101a

    SHA256

    c68684e9b767de37cadca70aff84431d656588064874b97aac61503b8f271ca8

    SHA512

    a665a4692c319220ad3dec4068ac3b1b070fa39e32b374ae594afa0bbe1a014670394bf18859a731f7b2dc8867dd520608497c7ff389ad548d38cc7678e9a3d2

  • C:\Windows\tsrv.wax

    Filesize

    4KB

    MD5

    8fca3869920d1f39a5bc5ad895aaecf7

    SHA1

    5035c8de92d1e585fa23b8c217f75353d67d40dd

    SHA256

    606421e1c2a5585de6d17d0f195da37feb9dbc5e50548de87406ca7516d2ad62

    SHA512

    b2817e3d4abb1030a8a2beeda7b91a8b6d880e59fafb2b0bff1471c21904288c52a95c54e2bda61e20464cc58f542d541aa7f1605329480f4751693e95f6c8ad

  • C:\Windows\tsrv.wax

    Filesize

    680B

    MD5

    15e64d0ad7d79bb7101929b1721b5685

    SHA1

    a61974413b6ed6947be982b6a94aff0749e30422

    SHA256

    46f28afb06ef8f693406228e9c2aec680df81daf84d982b578e5b7ad7fef7fda

    SHA512

    56269a50455f56b5e56a77e4f756290f6a085c782ddef84279699ad706c796aa3b6645926ca48964cf86044ac7e995dac9c39b33fe49029143501aef762b87f0

  • C:\Windows\tsrv.wax

    Filesize

    1KB

    MD5

    644a8aea241d790bd6f814f399f90633

    SHA1

    a6ca891c0fcb3594ff8aaf463fbe7f463cf294d1

    SHA256

    e2cebc7908011052e01d6060b90ff9a44eb3b5d2e055dbccbb49d393eb9dbea5

    SHA512

    99111a1c52ca895298e7000fea86122c405ad13c2bd435dd428a666d287a04ea8d14dcfaf348e5523a86ee90bf325c4c299e780694d51176e6396bb1c87ab5af

  • C:\Windows\tsrv.wax

    Filesize

    1KB

    MD5

    db22c67f40d581dfa5de962ce72bff41

    SHA1

    65f41151bca8ceb1f11e92963118e9cbc9486c74

    SHA256

    2c81a4c846b050a27b91fbd2c299a2301bf7f76b82954adcb292910f1ef51bd0

    SHA512

    c8e7ac853869cf5a665c7c1da3214503933d8571cdcb9601288be9d5e039e525d8b16a26ee199d8ce4ee361f46c05579fb4baf07f97db995c863edc25d3ce0be

  • C:\Windows\tsrv.wax

    Filesize

    2KB

    MD5

    05bdcf433695ae363319e2c7d7591258

    SHA1

    f67e7d492a1754006d8a28ee8cde75ff6e5c3d67

    SHA256

    76b493610026c5f0bd2c85008df35bcaf91a29d84cd2560af75413fe617d0e20

    SHA512

    babf779c519e9e5317c7e111f1a51ffd862bbce97af2d3c94efda89be4dd13b30abae2a3164cc6bf043cc40970caef40fa986ef7dc67c50e040c9dc2a14a8d17

  • memory/4720-19-0x0000000077BA2000-0x0000000077BA3000-memory.dmp

    Filesize

    4KB