d14393e4d8803103b4b0534adeec6cacacfb0a1c726629680478d9d413f8c232

Analysis

max time kernel
142s
max time network
138s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe
Size

2.2MB
MD5

46fe2546a2c1bb35f6860a18569921f9
SHA1

1a569d1e2fb57962ae11e0dd29698e91287e5d80
SHA256

d14393e4d8803103b4b0534adeec6cacacfb0a1c726629680478d9d413f8c232
SHA512

4796a24467166ad81a82ad758a3caeaac9f32a1ddd6ad456fd4d94bee0755803dbe1be8b8c1d09254a8152831b44590186336969144dbe9a40ef940865c89867
SSDEEP

49152:HUGEBRAokI3bXPcWxdTi5YP6K+b0CNYr8yfBbvX5E5beeFX6K:HbORnkI3bfcOdT8Q6KzCNYrDX54jFD

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2364	setup.exe
2360	foxybot.exe
2280	scrss.exe

Loads dropped DLL 16 IoCs

pid	Process
2388	46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe
2364	setup.exe
2364	setup.exe
2364	setup.exe
2364	setup.exe
2364	setup.exe
2360	foxybot.exe
2360	foxybot.exe
2360	foxybot.exe
2364	setup.exe
2364	setup.exe
2280	scrss.exe
2280	scrss.exe
2280	scrss.exe
2280	scrss.exe
2360	foxybot.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\scrss = "\"C:\\Users\\Admin\\AppData\\Local\\scrss.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	foxybot.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2636	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2364	setup.exe
2280	scrss.exe
2280	scrss.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2360	foxybot.exe
2360	foxybot.exe
2360	foxybot.exe
2280	scrss.exe
2360	foxybot.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2364	2388	46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2364	2388	46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2364	2388	46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2364	2388	46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2364	2388	46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2364	2388	46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2364	2388	46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2360	2364	setup.exe	31
PID 2364 wrote to memory of 2360	2364	setup.exe	31
PID 2364 wrote to memory of 2360	2364	setup.exe	31
PID 2364 wrote to memory of 2360	2364	setup.exe	31
PID 2364 wrote to memory of 2360	2364	setup.exe	31
PID 2364 wrote to memory of 2360	2364	setup.exe	31
PID 2364 wrote to memory of 2360	2364	setup.exe	31
PID 2364 wrote to memory of 2280	2364	setup.exe	32
PID 2364 wrote to memory of 2280	2364	setup.exe	32
PID 2364 wrote to memory of 2280	2364	setup.exe	32
PID 2364 wrote to memory of 2280	2364	setup.exe	32
PID 2364 wrote to memory of 2280	2364	setup.exe	32
PID 2364 wrote to memory of 2280	2364	setup.exe	32
PID 2364 wrote to memory of 2280	2364	setup.exe	32
PID 2280 wrote to memory of 2076	2280	scrss.exe	34
PID 2280 wrote to memory of 2076	2280	scrss.exe	34
PID 2280 wrote to memory of 2076	2280	scrss.exe	34
PID 2280 wrote to memory of 2076	2280	scrss.exe	34
PID 2280 wrote to memory of 2076	2280	scrss.exe	34
PID 2280 wrote to memory of 2076	2280	scrss.exe	34
PID 2280 wrote to memory of 2076	2280	scrss.exe	34
PID 2076 wrote to memory of 2776	2076	cmd.exe	36
PID 2076 wrote to memory of 2776	2076	cmd.exe	36
PID 2076 wrote to memory of 2776	2076	cmd.exe	36
PID 2076 wrote to memory of 2776	2076	cmd.exe	36
PID 2076 wrote to memory of 2776	2076	cmd.exe	36
PID 2076 wrote to memory of 2776	2076	cmd.exe	36
PID 2076 wrote to memory of 2776	2076	cmd.exe	36
PID 2776 wrote to memory of 2636	2776	cmd.exe	37
PID 2776 wrote to memory of 2636	2776	cmd.exe	37
PID 2776 wrote to memory of 2636	2776	cmd.exe	37
PID 2776 wrote to memory of 2636	2776	cmd.exe	37
PID 2776 wrote to memory of 2636	2776	cmd.exe	37
PID 2776 wrote to memory of 2636	2776	cmd.exe	37
PID 2776 wrote to memory of 2636	2776	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\46fe2546a2c1bb35f6860a18569921f9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Roaming\Microsoft\setup.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\foxybot.exe
    "C:\Users\Admin\AppData\Local\foxybot.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2360
- - C:\Users\Admin\AppData\Local\scrss.exe
    "C:\Users\Admin\AppData\Local\scrss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V scrss /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V scrss /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
141B

MD5
c43bd7836a8cf448f69638e14889ace4

SHA1
b7cdd6cabefdecad0f27f0c56215661e3fe2bb60

SHA256
c5d8cfcd50c0a777ec07376edcb4a80b2e22bb8d115c2d2f5718022fb78e82d9

SHA512
077301b1326b81e6069d66e7ddf6605809b74db34a4b131994089bd49787d172052e70ee980b66915bf665385355a80da6a5981bc5f1971b74145f499e73adf2

Download Submit
C:\Users\Admin\AppData\Local\scrss.exe

Filesize
444KB

MD5
7d4ccd44a98e70fab7c6407d8e5b096d

SHA1
41213e37f0e53c0240f0b1fc76d7fa4dc25a0ca1

SHA256
00a6a5b368d6ad0fa0dee0e65319e51836e90ec6de1d493c4ee2a5b6160a635c

SHA512
43a2f8066c4e9f926c052cdc08b4c2716fac909d7fa17f076c0ed5e15962ab8b4b099daa183c28ca8676a12d330daf0a46ebe2bc626aa7cfa8a8f570ad9e7aa5

Download Submit
\Users\Admin\AppData\Local\foxybot.exe

Filesize
752KB

MD5
5e0aafdd4d056ef8889fd8d83357708d

SHA1
5d30e99d2d557bb947bf4b1677ba70745741a491

SHA256
05c24fe54f55d1d54d56908d5e9f55672d1eda52cda1e1fff73ca9e2cb83dfe2

SHA512
58ebd0918521a1e2262e69cd1ccb46c50d908a814e18985bb518f61e88891cbbf074fb449dd4e792efcaa1183b451c4bdf35d3d713593bd14b0ac9803e03a153

Download Submit
\Users\Admin\AppData\Local\ntldr.dll

Filesize
238KB

MD5
8380322522bb509450441bfd9eb341be

SHA1
6e72ee00e97d26bd62d956f87d5a8e83fa70104a

SHA256
1bfe346c455fa962ef1113b0ab6915a4b290ddaad7618c94caa8a3f17e2be71e

SHA512
7faa191d0750408db656762f9a98ec56968a88a3c8672b7135576544c67d76370e85634604e3b8d35b2d64ff2a7cfbac75f8f22ee900ba25b957ca1123071c5e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\setup.exe

Filesize
1.6MB

MD5
156c2ea4b91c579724a7cbe9aa7cfc3c

SHA1
a1def009885f358162e25eb2ee6fdc7bf4b1bd84

SHA256
c1c4cc0f02fad9726546d0cb0632e369e5392ee4113642099d90dbcfb5b231eb

SHA512
183c7a62bb1e1ecb78e53e95fe64b3e89edc2248d4d1f84ae877138b4f11e39b07235d338faa8a5906af0ecff5e33e605c0b8d930c69b1f5edf79eedaea38baa

Download Submit
memory/2280-71-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2280-40-0x0000000000480000-0x00000000004C0000-memory.dmp

Filesize
256KB

Download
memory/2280-72-0x0000000000480000-0x00000000004C0000-memory.dmp

Filesize
256KB

Download
memory/2280-80-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2280-89-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2280-98-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2360-54-0x0000000003220000-0x0000000003260000-memory.dmp

Filesize
256KB

Download
memory/2360-70-0x0000000003220000-0x0000000003260000-memory.dmp

Filesize
256KB

Download
memory/2364-37-0x0000000000400000-0x00000000005AB000-memory.dmp

Filesize
1.7MB

Download
memory/2388-7-0x0000000004000000-0x000000000422F000-memory.dmp

Filesize
2.2MB

Download
memory/2388-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download