f2167716d8292af49a4b3fd8510501462d58337ccebec3c78c9087a9ef3612bf

Analysis

max time kernel
143s
max time network
15s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe
Size

1.7MB
MD5

3e43904e7a2463d918cab263f9d7c129
SHA1

bce43ab5e5535403475b327c141734eb97233252
SHA256

f2167716d8292af49a4b3fd8510501462d58337ccebec3c78c9087a9ef3612bf
SHA512

e981325aeacd889e45e80c25dfc82b1cadcd1b4a741d5ae407234ec80b6fa16d971540fe883605c1ca57109d0e81978072bd543219ae9ce73ec8c43a78709bf6
SSDEEP

49152:kRaqrZon4TYFyhPhMP1rYRU52DJbWoEop+:kRaq8UPhVXDJbWoLE

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1664	install.exe
2848	isass.exe
2868	multihack metin2 it.exe

Loads dropped DLL 12 IoCs

pid	Process
3012	3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe
1664	install.exe
1664	install.exe
1664	install.exe
1664	install.exe
1664	install.exe
1664	install.exe
1664	install.exe
2848	isass.exe
2848	isass.exe
2848	isass.exe
2848	isass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2688	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1664	install.exe
1664	install.exe
1664	install.exe
1664	install.exe
1664	install.exe
1664	install.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2848	isass.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2848	isass.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1664	3012	3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe	29
PID 3012 wrote to memory of 1664	3012	3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe	29
PID 3012 wrote to memory of 1664	3012	3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe	29
PID 3012 wrote to memory of 1664	3012	3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe	29
PID 3012 wrote to memory of 1664	3012	3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe	29
PID 3012 wrote to memory of 1664	3012	3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe	29
PID 3012 wrote to memory of 1664	3012	3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe	29
PID 1664 wrote to memory of 2848	1664	install.exe	30
PID 1664 wrote to memory of 2848	1664	install.exe	30
PID 1664 wrote to memory of 2848	1664	install.exe	30
PID 1664 wrote to memory of 2848	1664	install.exe	30
PID 1664 wrote to memory of 2848	1664	install.exe	30
PID 1664 wrote to memory of 2848	1664	install.exe	30
PID 1664 wrote to memory of 2848	1664	install.exe	30
PID 1664 wrote to memory of 2868	1664	install.exe	31
PID 1664 wrote to memory of 2868	1664	install.exe	31
PID 1664 wrote to memory of 2868	1664	install.exe	31
PID 1664 wrote to memory of 2868	1664	install.exe	31
PID 2848 wrote to memory of 2616	2848	isass.exe	32
PID 2848 wrote to memory of 2616	2848	isass.exe	32
PID 2848 wrote to memory of 2616	2848	isass.exe	32
PID 2848 wrote to memory of 2616	2848	isass.exe	32
PID 2848 wrote to memory of 2616	2848	isass.exe	32
PID 2848 wrote to memory of 2616	2848	isass.exe	32
PID 2848 wrote to memory of 2616	2848	isass.exe	32
PID 2616 wrote to memory of 2664	2616	cmd.exe	34
PID 2616 wrote to memory of 2664	2616	cmd.exe	34
PID 2616 wrote to memory of 2664	2616	cmd.exe	34
PID 2616 wrote to memory of 2664	2616	cmd.exe	34
PID 2616 wrote to memory of 2664	2616	cmd.exe	34
PID 2616 wrote to memory of 2664	2616	cmd.exe	34
PID 2616 wrote to memory of 2664	2616	cmd.exe	34
PID 2664 wrote to memory of 2688	2664	cmd.exe	35
PID 2664 wrote to memory of 2688	2664	cmd.exe	35
PID 2664 wrote to memory of 2688	2664	cmd.exe	35
PID 2664 wrote to memory of 2688	2664	cmd.exe	35
PID 2664 wrote to memory of 2688	2664	cmd.exe	35
PID 2664 wrote to memory of 2688	2664	cmd.exe	35
PID 2664 wrote to memory of 2688	2664	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e43904e7a2463d918cab263f9d7c129_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\install.exe
  "C:\Users\Admin\AppData\Local\Temp\install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Users\Admin\AppData\Local\isass.exe
    "C:\Users\Admin\AppData\Local\isass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c setup.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2688
- - C:\Users\Admin\AppData\Local\multihack metin2 it.exe
    "C:\Users\Admin\AppData\Local\multihack metin2 it.exe"
    3⤵
    - Executes dropped EXE
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.bat

Filesize
143B

MD5
330d9a81f808b287b999c76c1d932ed6

SHA1
95146f6f084c39395e2fae892af065e85fddb8d1

SHA256
4e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f

SHA512
4abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812

Download Submit
C:\Users\Admin\AppData\Local\multihack metin2 it.exe

Filesize
476KB

MD5
c3f6a9b111db795f9b4d94c6ec15b6cf

SHA1
16c86a65afa86b09ee8332af2535a8a914c20c15

SHA256
6dcc669136d098f5b43b94b9cb76fb1af192ef34864f523fdfdb0c36f0f50d48

SHA512
2bee02d939acde50fc86f2240fd0a3f78963ca7f2371ba7dd630770e244a8042ece31b35106ba633302b7ec02a466efeeb5e34da845c22d0ef61344ce1e7732e

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
216KB

MD5
80c93fe64268e17e644e55d4f46fdefe

SHA1
f275bd8a5426398afbf855df8fe9504ed5d8adb3

SHA256
d4fecb746734cd651a9dd064c25754dc87aa7e65c796d5eb9d355893449bda6c

SHA512
8789a9c917879ddb7fc41e0c2bd64398bb93836d7229e38d118702d92f14b29547594b719bd27b5cca030756949129d312dff7a5e40447c9e48ae256fe610a39

Download Submit
\Users\Admin\AppData\Local\Temp\install.exe

Filesize
1.3MB

MD5
5b4b7c12339a5acb9a38466decd6e8f2

SHA1
f084d14dc3b277da1ed4a5a298de3c7b2f49c7ba

SHA256
b02070d6171d12b371e6e51c5e9966b9322f39e39fad88d59ea8c200656a092a

SHA512
45c1e326e46d542dc672e46cbd86e549ea1caaf1e2e4894931ba0650ba7d8e7041d2b7a8cc1b19d8d92c1de88fcfdbf05799f7189442f53033cdb8229bb9b742

Download Submit
\Users\Admin\AppData\Local\isass.exe

Filesize
480KB

MD5
c5630a4509929bfc6c85a280285ca934

SHA1
52bde69afb354fd3b3a1b49f453e521de1ce0fb2

SHA256
54e531eeb80f977fc9ee005c26b0b0e5157d4e06f4ac9bef4cfd985175ad331f

SHA512
5203de240bb36bb0da77e08dc2664cdaf4bf8997f2ccc2af92363a2e41f04c420435cfd6ff785c6cad581e791838b2564a7851681a0fce7bac47ed3b876b8ef0

Download Submit
memory/1664-31-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/2848-38-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/2848-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-48-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/3012-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/3012-8-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download