79cf60976b460063d4eb8f7e83039aebf18dba16c50a787d191e72ecfefbddfe

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe
Size

108KB
MD5

445e8d5e7bc9e7d73b1189c2567ebd41
SHA1

3dd1b3fd60befc25cc6358c4bacfb9aaadb1a6a6
SHA256

79cf60976b460063d4eb8f7e83039aebf18dba16c50a787d191e72ecfefbddfe
SHA512

8e4c292cfe20bee8e842a5d00985800773a546171c321d8c06ac9b6740a14ca08dc6a1a6540d65bd17fc17be2bf7a2babe00a07a4cf7e684970c15dffc1662a9
SSDEEP

3072:IgXdZt9P6D3XJbCifHK1tjsITcqbfH7TtEz:Ie344ifHK1JxcEH7G

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	2796	rundll32.exe
8	2796	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe
2796	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2256	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2796	rundll32.exe
2796	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2796	2484	445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2796	2484	445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2796	2484	445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2796	2484	445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2796	2484	445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2796	2484	445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2796	2484	445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe	30
PID 2796 wrote to memory of 1424	2796	rundll32.exe	33
PID 2796 wrote to memory of 1424	2796	rundll32.exe	33
PID 2796 wrote to memory of 1424	2796	rundll32.exe	33
PID 2796 wrote to memory of 1424	2796	rundll32.exe	33
PID 1424 wrote to memory of 2256	1424	cmd.exe	35
PID 1424 wrote to memory of 2256	1424	cmd.exe	35
PID 1424 wrote to memory of 2256	1424	cmd.exe	35
PID 1424 wrote to memory of 2256	1424	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\445e8d5e7bc9e7d73b1189c2567ebd41_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ff8wfHZYn0.dll",Install C:\Users\Admin\AppData\Local\Temp\Ff8wfHZYn0
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /e:on /d /c ping -n 6 127.0.0.1 && DEL /F "C:\Users\Admin\AppData\Local\Temp\Ff8wfHZYn0.dll" >> nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 6 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ff8wfHZYn0

Filesize
1024B

MD5
6499956889099f048bd8394fc3cca7ca

SHA1
22c48f326d2eae410239e4a08582b1830cbf3181

SHA256
f121459547bd348063dac8ed5424e97bad30b880d5499edd66fb8af26022f921

SHA512
f3ee3e9c72de3b0563ae7817b451e4bbd1a517a51a2de9c61279e4145524397555b235c217e8512121ec7d7e075544aad970c3d8a3fb610b70e045c8664c33ec

Download Submit
\Users\Admin\AppData\Local\Temp\Ff8wfHZYn0.dll

Filesize
89KB

MD5
7a06cb307f802c120609c0b3c1e963a9

SHA1
2bda4b275422ea6138b12efaeefcb9e279f1de95

SHA256
292340cb04147497e7828986c55765e24bc863ab8e3066b317d78032beab984a

SHA512
a38c7cfb714859ddca000390bae3c4dc5a4cf88db2e974168bf1270b0740568630ce2afd63cb6b663c7df9296a97d2c0dbc0968b2eaaab74487cd179876752a6

Download Submit
memory/2796-11-0x0000000000260000-0x0000000000274000-memory.dmp

Filesize
80KB

Download
memory/2796-10-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/2796-9-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/2796-7-0x0000000000260000-0x0000000000274000-memory.dmp

Filesize
80KB

Download
memory/2796-15-0x0000000000260000-0x0000000000274000-memory.dmp

Filesize
80KB

Download