4119b4045326052faa0f5b4ede712a40991a458bbebfaea7ac162bdf0140cec8

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f786264de9456062e47ee4e97155024_JaffaCakes118.exe
Size

22KB
MD5

3f786264de9456062e47ee4e97155024
SHA1

2803d9d90de2f02f704756a032bf02e632f87099
SHA256

4119b4045326052faa0f5b4ede712a40991a458bbebfaea7ac162bdf0140cec8
SHA512

50c02d8da48e19b276c8442074ddb735a96c923e16e073e9dcda9c518d505f52ce825ed160aaf4d918760e66c89205f207481d0bd48b14cf983f1498ec9c99b0
SSDEEP

384:XRnMQZxU7roQuL+1faJUjM+Ulw4kYnJEW04pGhVJs+P79yPyVr5BrWPyjZT3g7:XRMwxCd/1faGjgl/nw+E9PsPyVvrWPyW

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2196	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\svchost.exe"	3f786264de9456062e47ee4e97155024_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	3f786264de9456062e47ee4e97155024_JaffaCakes118.exe
File opened for modification	C:\Windows\svchost.exe	3f786264de9456062e47ee4e97155024_JaffaCakes118.exe
File created	C:\Windows\ie-hook.dll	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2220	2196	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2196	svchost.exe
2196	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	3f786264de9456062e47ee4e97155024_JaffaCakes118.exe
Token: SeDebugPrivilege	2196	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2196	2812	3f786264de9456062e47ee4e97155024_JaffaCakes118.exe	30
PID 2812 wrote to memory of 2196	2812	3f786264de9456062e47ee4e97155024_JaffaCakes118.exe	30
PID 2812 wrote to memory of 2196	2812	3f786264de9456062e47ee4e97155024_JaffaCakes118.exe	30
PID 2812 wrote to memory of 2196	2812	3f786264de9456062e47ee4e97155024_JaffaCakes118.exe	30
PID 2196 wrote to memory of 2220	2196	svchost.exe	31
PID 2196 wrote to memory of 2220	2196	svchost.exe	31
PID 2196 wrote to memory of 2220	2196	svchost.exe	31
PID 2196 wrote to memory of 2220	2196	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\3f786264de9456062e47ee4e97155024_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f786264de9456062e47ee4e97155024_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 556
    3⤵
    - Program crash
    PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost.exe

Filesize
22KB

MD5
3f786264de9456062e47ee4e97155024

SHA1
2803d9d90de2f02f704756a032bf02e632f87099

SHA256
4119b4045326052faa0f5b4ede712a40991a458bbebfaea7ac162bdf0140cec8

SHA512
50c02d8da48e19b276c8442074ddb735a96c923e16e073e9dcda9c518d505f52ce825ed160aaf4d918760e66c89205f207481d0bd48b14cf983f1498ec9c99b0

Download Submit
memory/2196-10-0x0000000013140000-0x0000000013180000-memory.dmp

Filesize
256KB

Download
memory/2812-6-0x0000000013140000-0x0000000013180000-memory.dmp

Filesize
256KB

Download