2908c9babcc4031257e4d6a4662b41ea892358834bc2e748fbbb4e4cc6e650eb

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46636f0a19da3c85db3e08cf6633ae34_JaffaCakes118.exe
Size

88KB
MD5

46636f0a19da3c85db3e08cf6633ae34
SHA1

02d5606837b4e578367322a87d1c6c86605b0ef4
SHA256

2908c9babcc4031257e4d6a4662b41ea892358834bc2e748fbbb4e4cc6e650eb
SHA512

cec82d805eef310098e88211f34631a5f2af92165bf015dce2f28c6721f1db3a22db25af5b3ed7162d9c2dd26a9852358793df0f4789b2f16ff3529c854fbada
SSDEEP

1536:IFDGY3DJOdKzGgBA2jRIFMCPdhjtr/FBK6+U0nbVyV+ufe2gj5Xh:IZnz1z1BlTQdZpadU0i+uA3

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2388	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1640	46636f0a19da3c85db3e08cf6633ae34_JaffaCakes118.exe
1640	46636f0a19da3c85db3e08cf6633ae34_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Repair = "C:\\Windows\\system32\\Repair\\dllhost.exe"	dllhost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MrX-world.dat	dllhost.exe
File created	C:\Windows\SysWOW64\Repair\dllhost.exe	46636f0a19da3c85db3e08cf6633ae34_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Repair\dllhost.exe	46636f0a19da3c85db3e08cf6633ae34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MrX-world.dat	46636f0a19da3c85db3e08cf6633ae34_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Repair\dllhost.exe	dllhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1640	46636f0a19da3c85db3e08cf6633ae34_JaffaCakes118.exe
2388	dllhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2388	1640	46636f0a19da3c85db3e08cf6633ae34_JaffaCakes118.exe	30
PID 1640 wrote to memory of 2388	1640	46636f0a19da3c85db3e08cf6633ae34_JaffaCakes118.exe	30
PID 1640 wrote to memory of 2388	1640	46636f0a19da3c85db3e08cf6633ae34_JaffaCakes118.exe	30
PID 1640 wrote to memory of 2388	1640	46636f0a19da3c85db3e08cf6633ae34_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\46636f0a19da3c85db3e08cf6633ae34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\46636f0a19da3c85db3e08cf6633ae34_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\Repair\dllhost.exe
  C:\Windows\system32\Repair\dllhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MrX-world.dat

Filesize
27KB

MD5
2e7c53ecfba62fd99bf1333b5602ce0d

SHA1
6638bfff9970ef8cfd3ed9c26af992d93edbc4c8

SHA256
338267c1947903280b2d72e32d8f4287f2056351a463c4cbc9118812796e08b9

SHA512
890b1b0cd4bb996eea0557889c7affd868be73b11a206dcada0a89cffcee033f39065bb84f505c5b7704be0d98e851f0cc42304ffe3b5ad1f77e1f842f7ff5ea

Download Submit
\Windows\SysWOW64\Repair\dllhost.exe

Filesize
88KB

MD5
46636f0a19da3c85db3e08cf6633ae34

SHA1
02d5606837b4e578367322a87d1c6c86605b0ef4

SHA256
2908c9babcc4031257e4d6a4662b41ea892358834bc2e748fbbb4e4cc6e650eb

SHA512
cec82d805eef310098e88211f34631a5f2af92165bf015dce2f28c6721f1db3a22db25af5b3ed7162d9c2dd26a9852358793df0f4789b2f16ff3529c854fbada

Download Submit
memory/1640-18-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2388-19-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads