62ca32a078d7dba3d72dd51a0d352339759ccc9ad75a93c84df2dd9f847951c7

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe
Size

174KB
MD5

3a6794b3f61c8077411907bd9140f4ab
SHA1

ee57fbd725ccbb02540a5a4a474f8e7ae3ca9245
SHA256

62ca32a078d7dba3d72dd51a0d352339759ccc9ad75a93c84df2dd9f847951c7
SHA512

898c599bb337f157155890bfec90a0fc51d85babb3b0299d4f77db8d2a132ab0a61c87f5be9d58dc8c038eb31f0a7db8b239f63f863a410cbcaa59ca52dfc563
SSDEEP

3072:S/vGHqJLx6B/CRLdhHPp5wfvryWMG/gUngpcD6dozcI/Vz3q5:+WqA/eRJr0YUnaGcKLq

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\F1D472.exe"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2708	sm163.exe
2740	sm163.exe
2604	id163.exe
2540	id163.exe

Loads dropped DLL 17 IoCs

pid	Process
2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe
2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe
2708	sm163.exe
2708	sm163.exe
2740	sm163.exe
2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe
2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe
2604	id163.exe
2604	id163.exe
2540	id163.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe
2040	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	sm163.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	sm163.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 2740	2708	sm163.exe	31
PID 2604 set thread context of 2540	2604	id163.exe	33

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2040	2540	WerFault.exe	33

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2740	sm163.exe
2740	sm163.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2708	sm163.exe
2604	id163.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2708	2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2708	2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2708	2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2708	2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2708	2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2708	2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe	30
PID 2596 wrote to memory of 2708	2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2740	2708	sm163.exe	31
PID 2708 wrote to memory of 2740	2708	sm163.exe	31
PID 2708 wrote to memory of 2740	2708	sm163.exe	31
PID 2708 wrote to memory of 2740	2708	sm163.exe	31
PID 2708 wrote to memory of 2740	2708	sm163.exe	31
PID 2708 wrote to memory of 2740	2708	sm163.exe	31
PID 2708 wrote to memory of 2740	2708	sm163.exe	31
PID 2708 wrote to memory of 2740	2708	sm163.exe	31
PID 2708 wrote to memory of 2740	2708	sm163.exe	31
PID 2708 wrote to memory of 2740	2708	sm163.exe	31
PID 2596 wrote to memory of 2604	2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe	32
PID 2596 wrote to memory of 2604	2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe	32
PID 2596 wrote to memory of 2604	2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe	32
PID 2596 wrote to memory of 2604	2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe	32
PID 2596 wrote to memory of 2604	2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe	32
PID 2596 wrote to memory of 2604	2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe	32
PID 2596 wrote to memory of 2604	2596	3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe	32
PID 2604 wrote to memory of 2540	2604	id163.exe	33
PID 2604 wrote to memory of 2540	2604	id163.exe	33
PID 2604 wrote to memory of 2540	2604	id163.exe	33
PID 2604 wrote to memory of 2540	2604	id163.exe	33
PID 2604 wrote to memory of 2540	2604	id163.exe	33
PID 2604 wrote to memory of 2540	2604	id163.exe	33
PID 2604 wrote to memory of 2540	2604	id163.exe	33
PID 2604 wrote to memory of 2540	2604	id163.exe	33
PID 2604 wrote to memory of 2540	2604	id163.exe	33
PID 2604 wrote to memory of 2540	2604	id163.exe	33
PID 2604 wrote to memory of 2540	2604	id163.exe	33
PID 2604 wrote to memory of 2540	2604	id163.exe	33
PID 2604 wrote to memory of 2540	2604	id163.exe	33
PID 2540 wrote to memory of 2040	2540	id163.exe	34
PID 2540 wrote to memory of 2040	2540	id163.exe	34
PID 2540 wrote to memory of 2040	2540	id163.exe	34
PID 2540 wrote to memory of 2040	2540	id163.exe	34
PID 2540 wrote to memory of 2040	2540	id163.exe	34
PID 2540 wrote to memory of 2040	2540	id163.exe	34
PID 2540 wrote to memory of 2040	2540	id163.exe	34
PID 2740 wrote to memory of 1116	2740	sm163.exe	35
PID 2740 wrote to memory of 1116	2740	sm163.exe	35
PID 2740 wrote to memory of 1116	2740	sm163.exe	35
PID 2740 wrote to memory of 1116	2740	sm163.exe	35
PID 2740 wrote to memory of 1116	2740	sm163.exe	35
PID 2740 wrote to memory of 1116	2740	sm163.exe	35
PID 2740 wrote to memory of 1116	2740	sm163.exe	35

C:\Users\Admin\AppData\Local\Temp\3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a6794b3f61c8077411907bd9140f4ab_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm163.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm163.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm163.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm163.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Maps connected drives based on registry
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Adds policy Run key to start application
      PID:1116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\id163.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\id163.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\id163.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\id163.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 392
      4⤵
      Loads dropped DLL
      Program crash
      PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\id163.exe

Filesize
200KB

MD5
957f9fa9cd114d011612b2c4039b0719

SHA1
7423c4e94f869e92682bdaa2404915a968299db6

SHA256
e172a68881d321184d94914dd56d6294c0a761dc02ba1e75732841cd62ca777b

SHA512
1fc77bb2c9856f5d7d78614919510b203d4cfc4ef6d4a5d731f686ac2e78b619de0817992fe3e5e2171ccb351377dc1644e93fe4e6b1dbdae7e764ee6be22f3f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm163.exe

Filesize
144KB

MD5
ed5d002427e5be912eb0f89183227c8c

SHA1
5a5462000ab07534b0af280ac7f173947c7b4cc0

SHA256
3d9b1edaa1ff28791b5c8e29f571f7a4cb9923ce65caf14aa11f6d52bdcb2238

SHA512
e65c8dcf7d8a1d2b059132243b150f4f98e01a6c07e655337a6d45c998e17353d69ee3e337be5a72e3d9cd265a69bcd5d433297f2c1354f4ae4a31a536a8ad72

Download Submit
memory/1116-72-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/1116-64-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/1116-67-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/1116-71-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2540-73-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2540-38-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2540-40-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2540-42-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2540-44-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2540-46-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2540-49-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2540-51-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2540-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2740-25-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2740-65-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2740-22-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2740-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-18-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2740-16-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads