Analysis

  • max time kernel
    143s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 03:04

General

  • Target

    47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe

  • Size

    493KB

  • MD5

    47f13cf60a4f1d02784afc85702bedba

  • SHA1

    9a462b0f2e888645e4bde83391da0eb333db34e0

  • SHA256

    a1eef8a5a7b1640d2f161a67563766b6dd899f1ada93426c1fc1e2e599323f18

  • SHA512

    d26cccbc1fa16fb54b323f8e560f31cf707d1bc4104fa9f3485e2b854a5ced5d9045a706aef082f2ca2227960306940f4aaf623d628129e72f7c5cbf7d0cb914

  • SSDEEP

    6144:/sShZWyrW/gR4nsnDYdCzxyn1Nmrf2mzq46uyIuKmL03yNH6AYdzlRx1edQRX6YL:/anskwzYn1YTHpIzKmgih65udQhQ0kc

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\47f13cf60a4f1d02784afc85702bedba_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Users\Admin\AppData\Local\Temp\10mtsbem.vsg.exe
      "C:\Users\Admin\AppData\Local\Temp\10mtsbem.vsg.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\winlog.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:2772
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\al0c2y0l.xrg.JPG

    Filesize

    101KB

    MD5

    3aa561474f8dd9c65b53366a1e81e6ab

    SHA1

    513d3ecc100d4d898c1ef750bdcc7f0f096e0400

    SHA256

    48d6d5ba46b6834947fd73a0f7df3ee984382102fb1eb7981a0f14fdffa51e8c

    SHA512

    4f4092808625a0bddfd81ad0083a1b7dbc2848acfcba69905c79d56a7ede53db1dbcdec30d3c97b73a0aee784cbd946abefcab71e6b322416b07f4c7645ed0a3

  • \Users\Admin\AppData\Local\Temp\10mtsbem.vsg.exe

    Filesize

    141KB

    MD5

    a142e11261041cbb97bf9a6848423ee4

    SHA1

    f932c93eaeed6d104af232e99442ead254fa4352

    SHA256

    54231a7fd587a624c08166605b733fed6e4d1a9861e599fba6619bb6583103b6

    SHA512

    06ad01c2696aef16dcb7effd4df1bd72c7610845464ca7eec93f1b8de86a0a84d299d4fd0ff709142e98680770450d2b0f1e22c574a6014a608c1b5e4879e1df

  • memory/1296-0-0x00000000747D1000-0x00000000747D2000-memory.dmp

    Filesize

    4KB

  • memory/1296-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

    Filesize

    5.7MB

  • memory/1296-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp

    Filesize

    5.7MB

  • memory/1296-16-0x0000000000E20000-0x0000000000E22000-memory.dmp

    Filesize

    8KB

  • memory/1296-18-0x00000000747D0000-0x0000000074D7B000-memory.dmp

    Filesize

    5.7MB

  • memory/2252-29-0x0000000011490000-0x00000000114BA000-memory.dmp

    Filesize

    168KB

  • memory/2380-17-0x00000000000B0000-0x00000000000B2000-memory.dmp

    Filesize

    8KB

  • memory/2772-31-0x0000000011490000-0x00000000114BA000-memory.dmp

    Filesize

    168KB