4796b3237442c951330e56c843bdc1dd0ec79825598d28dbe36175e707d349fc

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4094a6afa1ca6de10180edc9690a2474_JaffaCakes118.exe
Size

114KB
MD5

4094a6afa1ca6de10180edc9690a2474
SHA1

8411c32e8344d26ee0eaf53b8b2f432e43bff02b
SHA256

4796b3237442c951330e56c843bdc1dd0ec79825598d28dbe36175e707d349fc
SHA512

c8f21c9e91908440de6843dc24f42accedadf7b4504256acd060e81ca6bdeb5cbb57687d40a29e89ffc2000e69b1aa8e015df3686b7da043bb8bbfac66756502
SSDEEP

3072:zoCMXP+f6FmxNTwNYFEB0M8tjWEasxWuD:zoCc+f67NY6+M8tasxWuD

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2436	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\359F5809-00B8-4455-A73A-9EA62A51101B = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4094a6afa1ca6de10180edc9690a2474_JaffaCakes118.exe\""	4094a6afa1ca6de10180edc9690a2474_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2436	1624	4094a6afa1ca6de10180edc9690a2474_JaffaCakes118.exe	30
PID 1624 wrote to memory of 2436	1624	4094a6afa1ca6de10180edc9690a2474_JaffaCakes118.exe	30
PID 1624 wrote to memory of 2436	1624	4094a6afa1ca6de10180edc9690a2474_JaffaCakes118.exe	30
PID 1624 wrote to memory of 2436	1624	4094a6afa1ca6de10180edc9690a2474_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\4094a6afa1ca6de10180edc9690a2474_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4094a6afa1ca6de10180edc9690a2474_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\05240CB0.cmd
  2⤵
  - Deletes itself
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\05240CB0.cmd

Filesize
291B

MD5
b3494abbccbc385cb8563a3678c7d0c4

SHA1
58562a2fae632401dd754ae5e91586366a26bb50

SHA256
012c85980c9cbc02c3e450c6e24eb58aee1c016f10baaaa9b1b5efc3566f4175

SHA512
c0dcd7c3dd5d6d93a540e823864a1fd83dd5e83c9f63a5f3dde6a395ef80316f717f8068c15312d42c86d6871e2eb5d77b682e0e53c07e2f017d1ce1302c7d58

Download Submit
memory/1624-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads