933313715594f05fb1ab3ff7631ec284ee797ae2f7e2fa17100bfdffd0095dff

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 17:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35b13c91b3fd4240715ca17a1704f7c6_JaffaCakes118.exe
Size

131KB
MD5

35b13c91b3fd4240715ca17a1704f7c6
SHA1

936b20aa0f5acda2fef3d523060ee8b63a737336
SHA256

933313715594f05fb1ab3ff7631ec284ee797ae2f7e2fa17100bfdffd0095dff
SHA512

76b9f846da5097499302c82956e2a29fcf1f4d453b5bff12cddcf56600ce54490218ba9a43d7861c253680c138fb5c7201af5bc90945b53b593471bcda26b57c
SSDEEP

3072:iNEeUBe0fMZNydHLTGvtHYkdrp3DyZBKsb/:iNEeUBe8qNIGJVsBK6

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2148	Ftutoa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\DFGQBFFUUO = "C:\\Windows\\Ftutoa.exe"	Ftutoa.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	35b13c91b3fd4240715ca17a1704f7c6_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	35b13c91b3fd4240715ca17a1704f7c6_JaffaCakes118.exe
File created	C:\Windows\Ftutoa.exe	35b13c91b3fd4240715ca17a1704f7c6_JaffaCakes118.exe
File opened for modification	C:\Windows\Ftutoa.exe	35b13c91b3fd4240715ca17a1704f7c6_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	Ftutoa.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\International	Ftutoa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe
2148	Ftutoa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2148	2564	35b13c91b3fd4240715ca17a1704f7c6_JaffaCakes118.exe	29
PID 2564 wrote to memory of 2148	2564	35b13c91b3fd4240715ca17a1704f7c6_JaffaCakes118.exe	29
PID 2564 wrote to memory of 2148	2564	35b13c91b3fd4240715ca17a1704f7c6_JaffaCakes118.exe	29
PID 2564 wrote to memory of 2148	2564	35b13c91b3fd4240715ca17a1704f7c6_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\35b13c91b3fd4240715ca17a1704f7c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35b13c91b3fd4240715ca17a1704f7c6_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\Ftutoa.exe
  C:\Windows\Ftutoa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Twain001.Mtx

Filesize
2B

MD5
309fc7d3bc53bb63ac42e359260ac740

SHA1
2064f80f811db79a33c4e51c10221454e30c74ae

SHA256
ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa

SHA512
77dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8

Download Submit
C:\Windows\Ftutoa.exe

Filesize
131KB

MD5
35b13c91b3fd4240715ca17a1704f7c6

SHA1
936b20aa0f5acda2fef3d523060ee8b63a737336

SHA256
933313715594f05fb1ab3ff7631ec284ee797ae2f7e2fa17100bfdffd0095dff

SHA512
76b9f846da5097499302c82956e2a29fcf1f4d453b5bff12cddcf56600ce54490218ba9a43d7861c253680c138fb5c7201af5bc90945b53b593471bcda26b57c

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
372B

MD5
bdeaace77ab495d6465da27ed4bbd784

SHA1
0aa8daf11ab244dfbc69dfb2a47830e27dae1a75

SHA256
390535e7fe5bfb4dc4bbfebc6788a192013a761352b3ddceaafddb19571d9c07

SHA512
b17639201046a068dfab65a2e36551d40bc5a253d678f795767fdd536783a08c0c2b879161ab04c325e5e541f784f8e67efbb5b165b568fce88dc84e1c44d2dc

Download Submit
memory/2148-14609-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-48859-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-48871-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-48863-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-13-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-14646-0x00000000751A0000-0x00000000751AF000-memory.dmp

Filesize
60KB

Download
memory/2148-48853-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-48857-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-48855-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-36627-0x00000000751A0000-0x00000000751AF000-memory.dmp

Filesize
60KB

Download
memory/2148-36570-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-40804-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-40803-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2564-7252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2564-23585-0x00000000751A0000-0x00000000751AF000-memory.dmp

Filesize
60KB

Download
memory/2564-23586-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2564-2-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2564-7312-0x00000000751A0000-0x00000000751AF000-memory.dmp

Filesize
60KB

Download
memory/2564-1-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download