7a987202b3f21feba73cebc91df3d2ed573434081a7ed2126420d626ab290093

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 14:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

463a493493052c07dbee10c2435edd7f_JaffaCakes118.exe
Size

195KB
MD5

463a493493052c07dbee10c2435edd7f
SHA1

10fda5da3eaac2a1fa6ab4918d256636a9ee9425
SHA256

7a987202b3f21feba73cebc91df3d2ed573434081a7ed2126420d626ab290093
SHA512

4c79681cdc4114eacc14de9e0981db4026db5434df5971e61d20659aa27ee9346dd58c2e996f68d447cbf9e8d8f02e7821b8ac8f92fcb0d73fe8897d2f913168
SSDEEP

3072:FhbHu1k5njeBrlHV5ZbDKSBiEaeIya7RmA6EuHq06sF7sOQWd9+1unPvtB+8f:FhbyUkHV7bWSBi2a7UN7sOQWr+k68f

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\qoqniy\Parameters\ServiceDll = "%SystemRoot%\\System32\\vapxao.kll"	463a493493052c07dbee10c2435edd7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\CONTROLSET002\services\qoqniy\Parameters\ServiceDll = "%SystemRoot%\\System32\\vapxao.kll"	463a493493052c07dbee10c2435edd7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\CONTROLSET003\Services\qoqniy\Parameters\ServiceDll = "%SystemRoot%\\System32\\vapxao.kll"	463a493493052c07dbee10c2435edd7f_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2028	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1020	463a493493052c07dbee10c2435edd7f_JaffaCakes118.exe
2028	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\00051bac.sys	463a493493052c07dbee10c2435edd7f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vapxao.kll	463a493493052c07dbee10c2435edd7f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2028	svchost.exe
2028	svchost.exe
2028	svchost.exe

C:\Users\Admin\AppData\Local\Temp\463a493493052c07dbee10c2435edd7f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\463a493493052c07dbee10c2435edd7f_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
PID:1020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost -k qoqniy
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\vapxao.kll

Filesize
146KB

MD5
71bc00997a441711fe13f0eb30774618

SHA1
e561212450e12e294b12e56d87da1b10d936784e

SHA256
10486b2ff52771f3d981c576e02af08a58d40478b4d33d9337568e37cdc190e8

SHA512
00ac52c1ce05c1a3c3d9bb6c7b54ba2f7c333f94fe7b088eaa83272b27c5be6e51bfdd6524bc1a14d3863aa821658a98e015b39508a7bf444ce2aeaedd177cd1

Download Submit
memory/1020-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1020-5-0x0000000010000000-0x0000000010050000-memory.dmp

Filesize
320KB

Download
memory/1020-8-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download