4bcb2a5d99297b30f8ff00e08cf7330d5e2f69fc602bb317bf8e9f703a137a99

Analysis

max time kernel
122s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

416db420e781c709bb71acee0b79282f_JaffaCakes118.exe
Size

557KB
MD5

416db420e781c709bb71acee0b79282f
SHA1

bdd2bae83c3bab9ba0c199492fe57e70c6425dd3
SHA256

4bcb2a5d99297b30f8ff00e08cf7330d5e2f69fc602bb317bf8e9f703a137a99
SHA512

31a229abfc2e7039db7e5bb8510cdd89b0ef4d2ea1e22293cb9cc26a4f73ac07dd2456e0b0ac30000d43f20b87c4abdd53fdb7556912da66824406e98347df5e
SSDEEP

12288:6cdkVE1wqnLHHP1W0Tilcyy3VLk3BWpC/c3fvYQuObIk:XOXqLHHNWy3VLk31k3fA

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2080	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2964	atiapfxx.exe

Loads dropped DLL 5 IoCs

pid	Process
2344	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe
2964	atiapfxx.exe
2964	atiapfxx.exe
2964	atiapfxx.exe
2964	atiapfxx.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2648	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	taskkill.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2760	2344	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	30
PID 2344 wrote to memory of 2760	2344	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	30
PID 2344 wrote to memory of 2760	2344	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	30
PID 2344 wrote to memory of 2760	2344	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	30
PID 2344 wrote to memory of 2104	2344	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	32
PID 2344 wrote to memory of 2104	2344	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	32
PID 2344 wrote to memory of 2104	2344	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	32
PID 2344 wrote to memory of 2104	2344	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	32
PID 2344 wrote to memory of 2964	2344	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	34
PID 2344 wrote to memory of 2964	2344	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	34
PID 2344 wrote to memory of 2964	2344	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	34
PID 2344 wrote to memory of 2964	2344	416db420e781c709bb71acee0b79282f_JaffaCakes118.exe	34
PID 2964 wrote to memory of 2080	2964	atiapfxx.exe	35
PID 2964 wrote to memory of 2080	2964	atiapfxx.exe	35
PID 2964 wrote to memory of 2080	2964	atiapfxx.exe	35
PID 2964 wrote to memory of 2080	2964	atiapfxx.exe	35
PID 2080 wrote to memory of 2648	2080	cmd.exe	37
PID 2080 wrote to memory of 2648	2080	cmd.exe	37
PID 2080 wrote to memory of 2648	2080	cmd.exe	37
PID 2080 wrote to memory of 2648	2080	cmd.exe	37
PID 2964 wrote to memory of 2336	2964	atiapfxx.exe	38
PID 2964 wrote to memory of 2336	2964	atiapfxx.exe	38
PID 2964 wrote to memory of 2336	2964	atiapfxx.exe	38
PID 2964 wrote to memory of 2336	2964	atiapfxx.exe	38

C:\Users\Admin\AppData\Local\Temp\416db420e781c709bb71acee0b79282f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\416db420e781c709bb71acee0b79282f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\cmd.exe
  /c time /T
  2⤵
  PID:2760
- C:\Windows\SysWOW64\cmd.exe
  /c time /T
  2⤵
  PID:2104
- C:\Users\Admin\AppData\Roaming\ATI\atiapfxx.exe
  C:\Users\Admin\AppData\Roaming\ATI\atiapfxx.exe C:\Users\Admin\AppData\Roaming\ATI\atisamu32.dll, ADL2_Display_Regamma_Set pid=2344 "C:\Users\Admin\AppData\Local\Temp\416db420e781c709bb71acee0b79282f_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    /Q /C TASKKILL /F /PID 2344 > NUL & DEL /F /Q C:\Users\Admin\AppData\Local\Temp\416db420e781c709bb71acee0b79282f_JaffaCakes118.exe > NUL
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /F /PID 2344
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    /c time /T
    3⤵
    PID:2336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ATI\atisamu32.dll

Filesize
812KB

MD5
da311c2005e7580c662d1911dbee49c0

SHA1
26d030c93c517d63147f502bf6536c3914698821

SHA256
cd7ec70cbd88620acc499cee175309c87f0f4d2de5bbc99fd525c62cc25441d5

SHA512
06adf8403bdb1fb434af028ea594cc7d53f38bad9d393966553656a630ec9f5e67163a531cd317e1f9c9ecff88343dd4e590ee1241bf098a418b7cdaa79d4bbd

Download Submit
C:\Users\Admin\AppData\Roaming\ATI\racss.dat

Filesize
5KB

MD5
d1440f0f6ded17896b0cf85e87915d65

SHA1
3b297f0ca7750c0c74e5f931fec1528fe1ba6bc9

SHA256
1c14172ed934e77fea0e0ea435c3a736fad22df4aadba679b9f7523e24cfad86

SHA512
3c3b78afd859014dc62328be401a5e4637bb600a5ae7c385523d175f4e019fba20e471d6b21242cee6fe537810074e19b2ace5a8bd106d8787c163362de48172

Download Submit
\Users\Admin\AppData\Roaming\ATI\atiapfxx.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit