57b4124df68164799d76f23e15caa39ccf03d09dd232c9997a09a9490440322b

Analysis

max time kernel
140s
max time network
128s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe
Size

82KB
MD5

47c30c5ca4b2f571ca08a2f46abe5a02
SHA1

61fb17f5613db7c439f3cbcc27b5d9eb2e7fe54d
SHA256

57b4124df68164799d76f23e15caa39ccf03d09dd232c9997a09a9490440322b
SHA512

74eff30fa00c763817f76022f995035f027304a1e25601610e7f365b2ed60bbcf803870c373f086f2a5094c12ec37e702a5c355ea7e4126a179b53eeb1905755
SSDEEP

1536:UUHWkhI/q5CqltFcKM4Ed7HpRBjXTICNgD4B+COH8E60lk0GXkx:UUHWkhISDMBN/XTTBWH8D0ZGUx

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\IRA\Parameters\ServiceDll = "C:\\Program Files (x86)\\IRAT\\IRAT.rmvb"	47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
3064	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2052	47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe
2404	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\IRAT\IRAT.rmvb	47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IRAT\IRAT.rmvb	47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2052	47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe
2404	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 3064	2052	47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe	31
PID 2052 wrote to memory of 3064	2052	47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe	31
PID 2052 wrote to memory of 3064	2052	47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe	31
PID 2052 wrote to memory of 3064	2052	47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\47c30c5ca4b2f571ca08a2f46abe5a02_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\259431799.bat" "
  2⤵
  - Deletes itself
  PID:3064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259431799.bat

Filesize
278B

MD5
162ae8fd0cfe9437fa5fcb71bd4cb71a

SHA1
5df1e056b9e3712fda10e85049e706c51630b76e

SHA256
2fb6edaae0fcbc1db81b26c2ff9266f5894a2b549f5daed4ccd16afc8ab9c186

SHA512
5dbbce04f34d7843afc0b778fcda815b73ee62576d79ec7060ea5e3cdd0e1e719e17931788abadeb686c3a47e9d91217427429bcdb04e5079c5781cb7eeb3e84

Download Submit
\Users\Admin\AppData\Local\Temp\259431706.tmp

Filesize
124KB

MD5
80062697911956f31288abaf7f0af738

SHA1
3689873571e8c80d200b3531a0cf9c36dd2c2d1b

SHA256
f28fcf5faba030fb55a1c961836194ffd06d594303a56d203217243b4c9c6df0

SHA512
69ca61c02d1e0eb2f3f84220b8997f347701318df1f77dfb7393da80886a22ae381858a97cfa78ef6722a688f103e5267e228466e1da9d68f95cd01ddabf8623

Download Submit
memory/2052-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2052-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2052-5-0x00000000001B0000-0x00000000001D6000-memory.dmp

Filesize
152KB

Download
memory/2052-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2404-13-0x0000000000080000-0x00000000000A6000-memory.dmp

Filesize
152KB

Download
memory/2404-23-0x0000000000080000-0x00000000000A6000-memory.dmp

Filesize
152KB

Download
memory/2404-29-0x0000000000080000-0x00000000000A6000-memory.dmp

Filesize
152KB

Download
memory/2404-35-0x0000000000080000-0x00000000000A6000-memory.dmp

Filesize
152KB

Download