2d840205c5e6898a9ddcd306890c62d25b2018185ce0bb496c2cdc0fc90f3733

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47b92870ffa733a8da933cd634f90db9_JaffaCakes118.exe
Size

89KB
MD5

47b92870ffa733a8da933cd634f90db9
SHA1

7350552be26798ddf530ebae862fce7f72e869ae
SHA256

2d840205c5e6898a9ddcd306890c62d25b2018185ce0bb496c2cdc0fc90f3733
SHA512

34175002082bafa39691276982d2c1febdcab57cf70ced837ae095caf9015a3a930c027c848ee606a3d5aa4e7e51de31d86a506f94bb5f88c7ed5d4e4a0cb3ea
SSDEEP

1536:k5GJEhlcbW5sk1BlfLvveIbXWm+nwN6Jsos5gz87raiWQpyvH9JaT9MtXFAK0:yGu9BlfzWIbXWm+w0JM5o87rJuHqhMtO

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2488	S0M_SC~1.EXE

Loads dropped DLL 3 IoCs

pid	Process
1760	47b92870ffa733a8da933cd634f90db9_JaffaCakes118.exe
1760	47b92870ffa733a8da933cd634f90db9_JaffaCakes118.exe
2488	S0M_SC~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	47b92870ffa733a8da933cd634f90db9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2488	S0M_SC~1.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2488	1760	47b92870ffa733a8da933cd634f90db9_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2488	1760	47b92870ffa733a8da933cd634f90db9_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2488	1760	47b92870ffa733a8da933cd634f90db9_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2488	1760	47b92870ffa733a8da933cd634f90db9_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2488	1760	47b92870ffa733a8da933cd634f90db9_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2488	1760	47b92870ffa733a8da933cd634f90db9_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2488	1760	47b92870ffa733a8da933cd634f90db9_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\47b92870ffa733a8da933cd634f90db9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\47b92870ffa733a8da933cd634f90db9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\S0M_SC~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\S0M_SC~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\S0M_SC~1.EXE

Filesize
43KB

MD5
3feac6cb4277e2b579218db9306e13e9

SHA1
4cad7a86815e6da15d8e12e4b9600824603a0978

SHA256
9cffb1b425b7b60e2b97f7357c0678091269dcd8e54d9671cca5847ec1cb8735

SHA512
1ef12c898731f961fa2f2f1e02d2b8af1cddb3c2df6791158475f090a787214c382355501c0fb79e9506dae0dfdf86fb26f696a45b8bf074c6428ead528f8348

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads