9feb7464a4f1ba9a5f8d670ea5bd71b8f28cae9b5f4accbd71e93accee11ce9b

Analysis

max time kernel
142s
max time network
139s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe
Size

50KB
MD5

437775e12356da0a5e830ab0c0cfcd15
SHA1

ccfa05ef4891796e47db6e8719f70d5494f0d0b1
SHA256

9feb7464a4f1ba9a5f8d670ea5bd71b8f28cae9b5f4accbd71e93accee11ce9b
SHA512

16fb31fbad4fe393f20150589a93d431ebddde1ca33b4383b34ce28f20f0f85c6bad6ff9cf365e0fbc0f7d058051717c6923982ceca9af4cb3c0856576143cfb
SSDEEP

768:VN6pRCG10Z8t8yPDtxdkVuctLz+aS/XvhZLqQ5x2TNKhYrfzaWgroex1iuz5GTuX:AGyP3+gvhFDf2wQid3TVGS

Score

8^/10

evasion execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2200	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1984	insider.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\guidex.dat	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\insider.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\insider.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\guidex.dat	insider.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1500	sc.exe
2576	sc.exe
2292	sc.exe
2720	sc.exe
2348	sc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2792	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	30
PID 2820 wrote to memory of 2792	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	30
PID 2820 wrote to memory of 2792	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	30
PID 2820 wrote to memory of 2792	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	30
PID 2792 wrote to memory of 2720	2792	cmd.exe	32
PID 2792 wrote to memory of 2720	2792	cmd.exe	32
PID 2792 wrote to memory of 2720	2792	cmd.exe	32
PID 2792 wrote to memory of 2720	2792	cmd.exe	32
PID 2820 wrote to memory of 2308	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	33
PID 2820 wrote to memory of 2308	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	33
PID 2820 wrote to memory of 2308	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	33
PID 2820 wrote to memory of 2308	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2348	2308	cmd.exe	35
PID 2308 wrote to memory of 2348	2308	cmd.exe	35
PID 2308 wrote to memory of 2348	2308	cmd.exe	35
PID 2308 wrote to memory of 2348	2308	cmd.exe	35
PID 2820 wrote to memory of 2836	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	36
PID 2820 wrote to memory of 2836	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	36
PID 2820 wrote to memory of 2836	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	36
PID 2820 wrote to memory of 2836	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	36
PID 2820 wrote to memory of 2912	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	37
PID 2820 wrote to memory of 2912	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	37
PID 2820 wrote to memory of 2912	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	37
PID 2820 wrote to memory of 2912	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	37
PID 2820 wrote to memory of 2616	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	39
PID 2820 wrote to memory of 2616	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	39
PID 2820 wrote to memory of 2616	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	39
PID 2820 wrote to memory of 2616	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	39
PID 2820 wrote to memory of 2220	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	40
PID 2820 wrote to memory of 2220	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	40
PID 2820 wrote to memory of 2220	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	40
PID 2820 wrote to memory of 2220	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	40
PID 2820 wrote to memory of 2844	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	42
PID 2820 wrote to memory of 2844	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	42
PID 2820 wrote to memory of 2844	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	42
PID 2820 wrote to memory of 2844	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	42
PID 2820 wrote to memory of 2644	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	44
PID 2820 wrote to memory of 2644	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	44
PID 2820 wrote to memory of 2644	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	44
PID 2820 wrote to memory of 2644	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	44
PID 2820 wrote to memory of 2588	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	46
PID 2820 wrote to memory of 2588	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	46
PID 2820 wrote to memory of 2588	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	46
PID 2820 wrote to memory of 2588	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	46
PID 2820 wrote to memory of 2620	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	49
PID 2820 wrote to memory of 2620	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	49
PID 2820 wrote to memory of 2620	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	49
PID 2820 wrote to memory of 2620	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	49
PID 2820 wrote to memory of 2664	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	50
PID 2820 wrote to memory of 2664	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	50
PID 2820 wrote to memory of 2664	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	50
PID 2820 wrote to memory of 2664	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	50
PID 2820 wrote to memory of 2008	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	52
PID 2820 wrote to memory of 2008	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	52
PID 2820 wrote to memory of 2008	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	52
PID 2820 wrote to memory of 2008	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	52
PID 2820 wrote to memory of 3032	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	53
PID 2820 wrote to memory of 3032	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	53
PID 2820 wrote to memory of 3032	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	53
PID 2820 wrote to memory of 3032	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	53
PID 2820 wrote to memory of 1044	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	58
PID 2820 wrote to memory of 1044	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	58
PID 2820 wrote to memory of 1044	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	58
PID 2820 wrote to memory of 1044	2820	437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe	58

C:\Users\Admin\AppData\Local\Temp\437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop "Insider"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\sc.exe
    sc stop "Insider"
    3⤵
    - Launches sc.exe
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete "Insider"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\sc.exe
    sc delete "Insider"
    3⤵
    - Launches sc.exe
    PID:2348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c
  2⤵
  PID:2836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c
  2⤵
  PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c
  2⤵
  PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c
  2⤵
  PID:2220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c
  2⤵
  PID:2844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c
  2⤵
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c
  2⤵
  PID:2588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c
  2⤵
  PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c
  2⤵
  PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c
  2⤵
  PID:2008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /B "C:\Users\Admin\AppData\Local\Temp\437775e12356da0a5e830ab0c0cfcd15_JaffaCakes118.exe" "C:\Windows\system32\insider.exe" /Y
  2⤵
  - Drops file in System32 directory
  PID:3032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc create "Insider" binPath= "C:\Windows\system32\insider.exe -s" start= auto error= ignore DisplayName= "Insider"
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\sc.exe
    sc create "Insider" binPath= "C:\Windows\system32\insider.exe -s" start= auto error= ignore DisplayName= "Insider"
    3⤵
    - Launches sc.exe
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc description "Insider" "Insider"
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\sc.exe
    sc description "Insider" "Insider"
    3⤵
    - Launches sc.exe
    PID:2576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start "Insider"
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\sc.exe
    sc start "Insider"
    3⤵
    - Launches sc.exe
    PID:2292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\69BB.tmp.bat"
  2⤵
  - Deletes itself
  PID:2200

C:\Windows\SysWOW64\insider.exe
C:\Windows\SysWOW64\insider.exe -s
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\69BB.tmp.bat

Filesize
244B

MD5
857aa5d3ac5ab2c8862f1ecefbe91fc8

SHA1
21c37451df0bc8f7a258fd51f423d4c253349098

SHA256
277fb04ffdf22eb0923b325ef297522060afb222f214deeff1b66f797f043a40

SHA512
cfa41022da06a447358ac4ac050a5b60bdef7fc36d6bb177448f3796d0b11aecfcdb2bebf73222aa42b0d57b22e3230a03d8c97236af07523bf54e4d58db264e

Download Submit
C:\Windows\SysWOW64\guidex.dat

Filesize
16B

MD5
697739f313c1c5820ff3f1d0e7cfe5df

SHA1
a9789a63d8986a21895c8823eb5c396816db0095

SHA256
a312a24a9c206d87f92b3a9c67ce834ab97e826efb1a87d8c7ab757a78d97cda

SHA512
9989c0d68c9918268ab79e3a8b3383b0926b37255671a456f3d091db7944850c17cfa91add039d5b04cc536b8ff72e8eec2462be901c49290349c3ef4cca1f56

Download Submit
C:\Windows\SysWOW64\insider.exe

Filesize
50KB

MD5
437775e12356da0a5e830ab0c0cfcd15

SHA1
ccfa05ef4891796e47db6e8719f70d5494f0d0b1

SHA256
9feb7464a4f1ba9a5f8d670ea5bd71b8f28cae9b5f4accbd71e93accee11ce9b

SHA512
16fb31fbad4fe393f20150589a93d431ebddde1ca33b4383b34ce28f20f0f85c6bad6ff9cf365e0fbc0f7d058051717c6923982ceca9af4cb3c0856576143cfb

Download Submit
memory/1984-16-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1984-18-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2820-2-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2820-1-0x0000000001D00000-0x0000000001E00000-memory.dmp

Filesize
1024KB

Download
memory/2820-14-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download