ff9c158d94c49bf07c1ebae7e6d36b63cfa6df4a02f0e98d8ef547c46293cdfd

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 04:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4837b9df9dd9a23f923edd3a427cf70e_JaffaCakes118.exe
Size

18KB
MD5

4837b9df9dd9a23f923edd3a427cf70e
SHA1

44067a474ba71d20bde7e7c5559d7b603b49bf21
SHA256

ff9c158d94c49bf07c1ebae7e6d36b63cfa6df4a02f0e98d8ef547c46293cdfd
SHA512

57361adb8ff604ec4a9145c000e4b610a10d4feae2f4a8c9db3afc4dfde475aed13693ab2975163938500a5a0c277037a84e9fb9ffbc24a754566321338b659f
SSDEEP

384:mQW/WfzBGOuTuyqXBC5xMWf3/s4yvTktqtHzz8NwgNYgm:rtlQ5eWf3/6TOqJHuXNYgm

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\6857EB73\ImagePath = "C:\\Windows\\system32\\E3A5330D.EXE -k"	4837b9df9dd9a23f923edd3a427cf70e_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	E3A5330D.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\74FE2369.DLL	E3A5330D.EXE
File created	C:\Windows\SysWOW64\delme.bat	4837b9df9dd9a23f923edd3a427cf70e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\E3A5330D.EXE	4837b9df9dd9a23f923edd3a427cf70e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\E3A5330D.EXE	4837b9df9dd9a23f923edd3a427cf70e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\E3A5330D.EXE	E3A5330D.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2864	E3A5330D.EXE
2864	E3A5330D.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2848	4837b9df9dd9a23f923edd3a427cf70e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 3004	2848	4837b9df9dd9a23f923edd3a427cf70e_JaffaCakes118.exe	32
PID 2848 wrote to memory of 3004	2848	4837b9df9dd9a23f923edd3a427cf70e_JaffaCakes118.exe	32
PID 2848 wrote to memory of 3004	2848	4837b9df9dd9a23f923edd3a427cf70e_JaffaCakes118.exe	32
PID 2848 wrote to memory of 3004	2848	4837b9df9dd9a23f923edd3a427cf70e_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\4837b9df9dd9a23f923edd3a427cf70e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4837b9df9dd9a23f923edd3a427cf70e_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\delme.bat
  2⤵
  - Deletes itself
  PID:3004

C:\Windows\SysWOW64\E3A5330D.EXE
C:\Windows\SysWOW64\E3A5330D.EXE -k
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\E3A5330D.EXE

Filesize
18KB

MD5
4837b9df9dd9a23f923edd3a427cf70e

SHA1
44067a474ba71d20bde7e7c5559d7b603b49bf21

SHA256
ff9c158d94c49bf07c1ebae7e6d36b63cfa6df4a02f0e98d8ef547c46293cdfd

SHA512
57361adb8ff604ec4a9145c000e4b610a10d4feae2f4a8c9db3afc4dfde475aed13693ab2975163938500a5a0c277037a84e9fb9ffbc24a754566321338b659f

Download Submit
C:\Windows\SysWOW64\delme.bat

Filesize
239B

MD5
09f55e576a2f76818f0918ab819209a4

SHA1
ae92ac89277502eb146afbbd2fb066c24ea16229

SHA256
8e58944f48fc3fb3039ea70c1c7e3576425e82b2c3647424a82e777141407c97

SHA512
3718a258c4f57a34c85d2b368c1ab83a7fe8db3fbd3704384efa6047ae56916dabc2cf88abb61e8fe40046ffd2e06a0e9e857aed23eeac583305bca3f09cab7e

Download Submit
memory/2848-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2848-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2848-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2848-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2864-6-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2864-7-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2864-18-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download