ec4760d60a9037a5aa26179a2b781399068914730bd2d91560289cdd6fbb3301

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c3c5efb689532054a00e03fd4dfdc64_JaffaCakes118.exe
Size

21KB
MD5

3c3c5efb689532054a00e03fd4dfdc64
SHA1

223568d31b9c54d6508671304baf8d10beb9c63a
SHA256

ec4760d60a9037a5aa26179a2b781399068914730bd2d91560289cdd6fbb3301
SHA512

7c15ec5fda79eb15f26667bebe40baa446cb2536f4f753e1dc19bc4e6b383cbe197a6af220de70dcefadca76b72b790b9be0f52520d9cac68d68ec4f445d56cd
SSDEEP

384:hKmFuFr1PamGIPVF8upJS2YVAvFY1EVIEj1:RuFhCmxF8R2YCvFY6Vr

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2712	mppds.exe

Executes dropped EXE 1 IoCs

pid	Process
2712	mppds.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\mppds = "C:\\Windows\\mppds.exe"	mppds.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mppds.dll	mppds.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\mppds.exe	3c3c5efb689532054a00e03fd4dfdc64_JaffaCakes118.exe
File opened for modification	C:\Windows\mppds.exe	3c3c5efb689532054a00e03fd4dfdc64_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2712	mppds.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2712	1708	3c3c5efb689532054a00e03fd4dfdc64_JaffaCakes118.exe	30
PID 1708 wrote to memory of 2712	1708	3c3c5efb689532054a00e03fd4dfdc64_JaffaCakes118.exe	30
PID 1708 wrote to memory of 2712	1708	3c3c5efb689532054a00e03fd4dfdc64_JaffaCakes118.exe	30
PID 1708 wrote to memory of 2712	1708	3c3c5efb689532054a00e03fd4dfdc64_JaffaCakes118.exe	30
PID 2712 wrote to memory of 1272	2712	mppds.exe	21
PID 2712 wrote to memory of 1272	2712	mppds.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\3c3c5efb689532054a00e03fd4dfdc64_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3c3c5efb689532054a00e03fd4dfdc64_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\mppds.exe
    C:\Windows\mppds.exe @C:\Users\Admin\AppData\Local\Temp\3c3c5efb689532054a00e03fd4dfdc64_JaffaCakes118.exe@1708
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mppds.exe

Filesize
21KB

MD5
3c3c5efb689532054a00e03fd4dfdc64

SHA1
223568d31b9c54d6508671304baf8d10beb9c63a

SHA256
ec4760d60a9037a5aa26179a2b781399068914730bd2d91560289cdd6fbb3301

SHA512
7c15ec5fda79eb15f26667bebe40baa446cb2536f4f753e1dc19bc4e6b383cbe197a6af220de70dcefadca76b72b790b9be0f52520d9cac68d68ec4f445d56cd

Download Submit
memory/1272-7-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download