cfcd7448244868ae81f1c2d20ccf0287d6ec530d518a56d88f5f621fea77f590

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47fab2748dfbb8faea929ab898951bbc_JaffaCakes118.exe
Size

1.8MB
MD5

47fab2748dfbb8faea929ab898951bbc
SHA1

1f014edb0c69555bbbc374f83959b9e8d16288c3
SHA256

cfcd7448244868ae81f1c2d20ccf0287d6ec530d518a56d88f5f621fea77f590
SHA512

5d5fee03e9e775ab12337d3c6db6b13fc20d1be8e365adcde83397f3dd02489bee2a9ea4205ba5edf3f17e1275414eaa10f7913f7b52c01bb5342838b8f9bc99
SSDEEP

49152:W7wSSXQxj0oIvzN2nSrItK09LBUcqYiNs0nkY:WMS0YRkzNDYnqNBkY

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2184	install.exe
1832	isass.exe
2564	torrentkapat.exe

Loads dropped DLL 14 IoCs

pid	Process
292	47fab2748dfbb8faea929ab898951bbc_JaffaCakes118.exe
2184	install.exe
2184	install.exe
2184	install.exe
2184	install.exe
2184	install.exe
2184	install.exe
1832	isass.exe
1832	isass.exe
1832	isass.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
1832	isass.exe
2564	torrentkapat.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015f16-24.dat	upx
behavioral1/memory/2564-37-0x0000000000270000-0x0000000000328000-memory.dmp	upx
behavioral1/memory/2564-36-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2564-55-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2564-57-0x0000000000270000-0x0000000000328000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2564-55-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2688	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2184	install.exe
2184	install.exe
2184	install.exe
2184	install.exe
2184	install.exe
2184	install.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2564	torrentkapat.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe
2564	torrentkapat.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1832	isass.exe
2564	torrentkapat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 292 wrote to memory of 2184	292	47fab2748dfbb8faea929ab898951bbc_JaffaCakes118.exe	28
PID 292 wrote to memory of 2184	292	47fab2748dfbb8faea929ab898951bbc_JaffaCakes118.exe	28
PID 292 wrote to memory of 2184	292	47fab2748dfbb8faea929ab898951bbc_JaffaCakes118.exe	28
PID 292 wrote to memory of 2184	292	47fab2748dfbb8faea929ab898951bbc_JaffaCakes118.exe	28
PID 292 wrote to memory of 2184	292	47fab2748dfbb8faea929ab898951bbc_JaffaCakes118.exe	28
PID 292 wrote to memory of 2184	292	47fab2748dfbb8faea929ab898951bbc_JaffaCakes118.exe	28
PID 292 wrote to memory of 2184	292	47fab2748dfbb8faea929ab898951bbc_JaffaCakes118.exe	28
PID 2184 wrote to memory of 1832	2184	install.exe	29
PID 2184 wrote to memory of 1832	2184	install.exe	29
PID 2184 wrote to memory of 1832	2184	install.exe	29
PID 2184 wrote to memory of 1832	2184	install.exe	29
PID 2184 wrote to memory of 1832	2184	install.exe	29
PID 2184 wrote to memory of 1832	2184	install.exe	29
PID 2184 wrote to memory of 1832	2184	install.exe	29
PID 2184 wrote to memory of 2564	2184	install.exe	30
PID 2184 wrote to memory of 2564	2184	install.exe	30
PID 2184 wrote to memory of 2564	2184	install.exe	30
PID 2184 wrote to memory of 2564	2184	install.exe	30
PID 2184 wrote to memory of 2564	2184	install.exe	30
PID 2184 wrote to memory of 2564	2184	install.exe	30
PID 2184 wrote to memory of 2564	2184	install.exe	30
PID 1832 wrote to memory of 3016	1832	isass.exe	31
PID 1832 wrote to memory of 3016	1832	isass.exe	31
PID 1832 wrote to memory of 3016	1832	isass.exe	31
PID 1832 wrote to memory of 3016	1832	isass.exe	31
PID 1832 wrote to memory of 3016	1832	isass.exe	31
PID 1832 wrote to memory of 3016	1832	isass.exe	31
PID 1832 wrote to memory of 3016	1832	isass.exe	31
PID 3016 wrote to memory of 2684	3016	cmd.exe	33
PID 3016 wrote to memory of 2684	3016	cmd.exe	33
PID 3016 wrote to memory of 2684	3016	cmd.exe	33
PID 3016 wrote to memory of 2684	3016	cmd.exe	33
PID 3016 wrote to memory of 2684	3016	cmd.exe	33
PID 3016 wrote to memory of 2684	3016	cmd.exe	33
PID 3016 wrote to memory of 2684	3016	cmd.exe	33
PID 2684 wrote to memory of 2688	2684	cmd.exe	34
PID 2684 wrote to memory of 2688	2684	cmd.exe	34
PID 2684 wrote to memory of 2688	2684	cmd.exe	34
PID 2684 wrote to memory of 2688	2684	cmd.exe	34
PID 2684 wrote to memory of 2688	2684	cmd.exe	34
PID 2684 wrote to memory of 2688	2684	cmd.exe	34
PID 2684 wrote to memory of 2688	2684	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\47fab2748dfbb8faea929ab898951bbc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\47fab2748dfbb8faea929ab898951bbc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292
- C:\Users\Admin\AppData\Local\Temp\install.exe
  "C:\Users\Admin\AppData\Local\Temp\install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\isass.exe
    "C:\Users\Admin\AppData\Local\isass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\setup.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V lsass /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2688
- - C:\Users\Admin\AppData\Local\torrentkapat.exe
    "C:\Users\Admin\AppData\Local\torrentkapat.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.bat

Filesize
143B

MD5
330d9a81f808b287b999c76c1d932ed6

SHA1
95146f6f084c39395e2fae892af065e85fddb8d1

SHA256
4e2ba5afae8aedfb7664f479ff30667dbabee99f63c922206df98ff56456a03f

SHA512
4abd3d3c6b40ae046366604fdfabdc2c97a54cd4c4046452014fb1087353d216b2920650cc2d147fd6c1a79fd7d73d7cd46a8ada0a5c70de70b87b480034e812

Download Submit
\Users\Admin\AppData\Local\Temp\install.exe

Filesize
1.3MB

MD5
8668d949eeef74b59a15e234dc767d09

SHA1
5932a9c75f4dc5cd281db6cbba90b637c28b806d

SHA256
ca16b494db981b5e7cb2459fa0cceae0fb714954446347ee6b4e116afab40709

SHA512
8e3f6f2a820ff51a51cec164acdee0e635ec97d7cb1a12a04f58b70677ff33fbf952d8ebcac7092f875e7e9292cbfcd54d3f08e5966bf954cc4e6d477bd33dec

Download Submit
\Users\Admin\AppData\Local\isass.exe

Filesize
540KB

MD5
58474427326df74ee9a3df4a1cd3ee5b

SHA1
f15c9f8b4c2879741473148b201d4ededac9ccaa

SHA256
8e1336697f483b08d6035e2d74e5bd8cbb0f9448ebda09138babb59f10846ebb

SHA512
655243c329d4bfe7625e1f03667ec6c03ca715d30522fe0e5553986735ec0fa4273ec75535ccad515d52964bb49c0e151698d98df6420ce666f60337e1731611

Download Submit
\Users\Admin\AppData\Local\ntldr.dll

Filesize
186KB

MD5
3b3f633865e78b077471b52a8e08c7ae

SHA1
49867697fe9f6dd2025ec2081e0c8606257e008a

SHA256
76230baac105470e82f2fdedc13865d9f46c7349ffcc66e239b95893ea433fd4

SHA512
77b9d6eaf413ecb24d552fbe7985ed6d277123eee1b4294db0dc52d5bc396de9c445dc53254f964dfe0ade21e2c54cba17ac6e3008c6935387fbd3e8f1442a1b

Download Submit
\Users\Admin\AppData\Local\torrentkapat.exe

Filesize
286KB

MD5
147f3508b03d717b6b16ad234779b5fa

SHA1
abebca45c4f1feb3219f4216b1a487cee08af7aa

SHA256
d560fe62c7b7cf5afc50168dd0906e170ee961e7db5fd7c382fb9d1a5d75241d

SHA512
3846d5ce3ef956b941c42b5e738776535d1b91ca223ebcd98ea03705f4c2c33034dd9b011e3959392bde151c63a185aca9d6caffaee667d342fcea78a23cde08

Download Submit
memory/292-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/292-8-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/1832-41-0x0000000000300000-0x0000000000332000-memory.dmp

Filesize
200KB

Download
memory/1832-54-0x0000000000300000-0x0000000000332000-memory.dmp

Filesize
200KB

Download
memory/1832-53-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2184-31-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2184-32-0x00000000034C0000-0x0000000003578000-memory.dmp

Filesize
736KB

Download
memory/2564-36-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2564-37-0x0000000000270000-0x0000000000328000-memory.dmp

Filesize
736KB

Download
memory/2564-44-0x0000000000EE0000-0x0000000000F12000-memory.dmp

Filesize
200KB

Download
memory/2564-55-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2564-56-0x0000000000EE0000-0x0000000000F12000-memory.dmp

Filesize
200KB

Download
memory/2564-57-0x0000000000270000-0x0000000000328000-memory.dmp

Filesize
736KB

Download